CloudNet@
0%

๐Ÿ›ก AWS VPN Site to Site with Static Route

์ž‘์„ฑ์ผ Edited on In , Disqus:

์ž‘์„ฑ์ž : gasida.cloudnet@


AWS Document Link
  • Site-to-Site VPN User Guide
  • Site-to-Site VPN Network Administrator Guide
  • VYOS User Guide

1. AWS VPN Site to Site with Static Route


1.1 AWS Site-to-Site VPN

  • AWS Site-to-Site VPN(S2S VPN) ์€ Amazon VPC ๋ง๊ณผ ์™ธ๋ถ€๋ง(ex. ๊ธฐ์—…๋ง ๋“ฑ) ์•ˆ์ „ํ•œ ์—ฐ๊ฒฐ์„ ํ•ด์ฃผ๋Š” ๊ฒƒ์„ ๋งํ•จ
  • ์ฃผ์š” ์šฉ์–ด
    • VPN ์—ฐ๊ฒฐ : ์˜จํ”„๋ ˆ๋ฏธ์Šค ์žฅ๋น„(ex. ๊ธฐ์—…๋ง VPN์žฅ๋น„)์™€ Amazon VPC ๊ฐ„์˜ ๋ณด์•ˆ ์—ฐ๊ฒฐ
    • VPN ํ„ฐ๋„ : AWS VPC ๋„คํŠธ์›Œํฌ์™€ ์˜จํ”„๋ ˆ๋ฏธ์Šค ๋„คํŠธ์›Œํฌ ๊ฐ„ ์ฃผ๊ณ  ๋ฐ›์„ ์ˆ˜ ์žˆ๋Š” ์•”ํ˜ธํ™”๋œ ๋งํฌ
      • ๊ณ ๊ฐ€์šฉ์„ฑ์„ ์œ„ํ•ด์„œ 2๊ฐœ์˜ ํ„ฐ๋„์„ ์ œ๊ณตํ•จ
    • ๊ณ ๊ฐ ๊ฒŒ์ดํŠธ์›จ์ด : ์˜จํ”„๋ ˆ๋ฏธ์Šค ์žฅ๋น„(ex. ๊ธฐ์—…๋ง VPN์žฅ๋น„)์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ๋งํ•จ
      • AWS VGW ์— ์„ค์ •์„ ์œ„ํ•ด์„œ ์ง€์ •ํ•จ (ex. ์˜จํ”„๋ ˆ๋ฏธ์Šค VPN ์žฅ๋น„์˜ IP ๋“ฑ)
    • ๊ณ ๊ฐ ๊ฒŒ์ดํŠธ์›จ์ด ๋””๋ฐ”์ด์Šค : ์˜จํ”„๋ ˆ๋ฏธ์Šค ์žฅ๋น„(ex. ๊ธฐ์—…๋ง VPN์žฅ๋น„) ํ˜น์€ ์†Œํ”„ํŠธ์›จ์–ด ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜
  • ์ œ์•ฝ์‚ฌํ•ญ : IPv6 ํŠธ๋ž˜ํ”ฝ ๋ฏธ์ง€์›, AWS VPN ์—ฐ๊ฒฐ ์‹œ Path MTU discovery ๋ฏธ์ง€์› (โ†’ MTU ์„ค์ •์„ ๋งž์ถœ ๊ฒƒ์„ ๊ถŒ์žฅ)

1.2 AWS S2S ์ž‘๋™ ๋ฐฉ์‹

  • AWS VGW ์™€ TGW ์—์„œ ๋™์ž‘ํ•ฉ๋‹ˆ๋‹ค

AWS VGW(=๊ฐ€์ƒ ํ”„๋ผ์ด๋น— ๊ฒŒ์ดํŠธ์›จ์ด)

AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled.png

AWS Transit GW(=์ „์†ก ๊ฒŒ์ดํŠธ์›จ์ด)

AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%201.png

  • S2S VPN Tunnel ์€ 2๊ฐœ๊ฐ€ ์žˆ์œผ๋ฉฐ, ํผ๋ธ”๋ฆญ IP์ฃผ์†Œ๊ฐ€ ๊ฐ ํ„ฐ๋„์— ์‚ฌ์šฉ๋œ๋‹ค.

    • VGW๋Š” ํ„ฐ๋„์— ๋Œ€ํ•ด ๋‘๊ฐœ์˜ Tunnel Endpoint๋ฅผ ์ œ๊ณต

    • IPsec tunnels ๊ณผ BGP sessions ๋Š” ํ•ญ์ƒ ๊ณ ๊ฐ์ธก(CGW)์—์„œ ์‹œ์ž‘ํ•œ๋‹ค

    • ๊ณ ๊ฐ€์šฉ์„ฑ์„ ์œ„ํ•ด์„œ ๋‘ ํ„ฐ๋„ ๋ฐ˜๋“œ์‹œ ๋ชจ๋‘ ๊ตฌ์„ฑํ•ด์•ผ ํ•œ๋‹ค.

    • ํŠนํžˆ AWS VGW ์ •๊ธฐ ์œ ์ง€ ๊ด€๋ฆฌ ์‹œ ์ˆœ์ฐจ์ ์œผ๋กœ ํ„ฐ๋„์ด ๋น„ํ™œ์„ฑํ™” ๋œ๋‹ค

      โ†’ ๐Ÿšง ํ•„์ž๊ฐ€ AWS VPN ์šด์˜ ์‹œ ์—๋„ ๋งค๋‹ฌ 26~28์ผ ์‚ฌ์ด์— Tunnel1, Tunnel 2 ๊ฐ€ ์‹œ๊ฐ„์ฐจ๋ฅผ ๋‘๊ณ  Down ๋˜์—ˆ์—ˆ๋‹ค

    • AWS S2S VPN SLA ๋Š” 99.95% ์ž…๋‹ˆ๋‹ค. โ†’ ํ•œ ๋‹ฌ 5๋ถ„ 2์ดˆ๋Š” ๊ณ„์•ฝ ์ƒ ์œ ์ง€ ๊ด€๋ฆฌ ๋“ฑ์„ ์œ„ํ•ด์„œ ๋น„ํ™œ์„ฑํ™”๊ฐ€ ๋˜์–ด๋„โ€ฆ

      AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/_2020-05-07__2.01.22.png
      https://uptime.is/ ์ฐธ๊ณ 

  • CGW (=๊ณ ๊ฐ ๊ฒŒ์ดํŠธ์›จ์ด) ๋Š” ๊ณ ๊ฐ ์ธก์— ์žˆ๋Š” ๋ฌผ๋ฆฌ์  ๋˜๋Š” ์†Œํ”„ํŠธ์›จ์–ด ์–ดํ”Œ๋ผ์ด์–ธ์Šค์ด๋‹ค.

    • CGW๊ฐ€ 1๋Œ€์˜ ์žฅ๋น„๋ผ๋ฉด ๋…ผ๋ฆฌ์ ์ธ ํ„ฐ๋„ ์ธํ„ฐํŽ˜์ด์Šค 2๊ฐœ๋ฅผ ์„ค์ •ํ•˜์—ฌ AWS VPN Tunnel 1,2 ์™€ ์—ฐ๊ฒฐ ์„ค์ •ํ•œ๋‹ค

      AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%202.png

  • ์„œ๋กœ ํ†ต์‹ ์„ ์œ„ํ•œ ๋ผ์šฐํŒ…์€ Static ๊ณผ Dynamic(BGP) ๋ฅผ ์ง€์›ํ•œ๋‹ค.


1.3 S2S VPN ์•„ํ‚คํ…์ฒ˜

  • AWS VGW โ€”-(S2S VPN) โ€”- IDC(CGW)

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%203.png

  • AWS TGW โ€”-(S2S VPN) โ€”- IDC(CGW) : VGW ๊ฐ€ ์•„๋‹Œ Transit Gateway(TGW)๊ฐ€ VPN ์—ฐ๊ฒฐ๋˜๋Š” ์ข…๋‹จ์  ์—ญํ• 

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%204.png

  • ๋‹ค์ค‘ S2S VPN ์—ฐ๊ฒฐ : ์—ฌ๋Ÿฌ๊ฐœ์˜ ๊ณ ๊ฐ VPN ๋ง์ด ์—ฐ๊ฒฐ ๋˜๋Š” ๊ตฌ์„ฑ ํ™˜๊ฒฝ

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%205.png

  • S2S VPN ์ด์ค‘ํ™”๋ฅผ ํ†ตํ•œ ๊ณ ๊ฐ€์šฉ์„ฑ ๊ตฌ์„ฑ

    • 1์•ˆ : CGW ๊ฐ€ ์ด์ค‘ํ™” ๊ตฌ์„ฑ์ด๋‚˜ ํด๋Ÿฌ์Šคํ„ฐ ๋™์ž‘์ด ์•„๋‹Œ A-S ๋™์ž‘์ธ ๊ฒฝ์šฐ ๋‘๊ฐœ์˜ CGW ๋ฅผ ๋‘ ๊ฐœ์˜ VGW์— ์—ฐ๊ฒฐ

      • AWS S2S VGW ๋ฅผ 2๊ฐœ๋ฅผ ์ƒ์„ฑํ•˜๊ณ  ๊ณ ๊ฐ์ธก ์žฅ๋น„๋„ 2๋Œ€๋ฅผ ๊ตฌ์„ฑํ•˜๋ฉฐ BGP ๋กœ ๊ฐ๊ฐ ๋‚ด๋ถ€๋ง์„ ๊ด‘๊ณ ํ•˜๋Š” ํ˜•ํƒœ

        AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%206.png

  • 2์•ˆ : CGW ๊ฐ€ 2๋Œ€๋กœ ์ด์ค‘ํ™” ๊ตฌ์„ฑ์—์„œ ํด๋Ÿฌ์Šคํ„ฐ๋กœ ๋™์ž‘ ์‹œ(๋…ผ๋ฆฌ์ ์œผ๋กœ 1๋Œ€)์—๋Š” 1๊ฐœ์˜ VGW ์— ๊ฐ ํ„ฐ๋„ ์—”๋“œํฌ์ธํŠธ๋กœ ๋ชจ๋‘ ์—ฐ๊ฒฐ

    • AWS S2S VGW ๋ฅผ 1๊ฐœ๋งŒ ์ƒ์„ฑํ•˜์—ฌ ๊ณ ๊ฐ์ธก ์žฅ๋น„์˜ ๋…ผ๋ฆฌ1๋Œ€์˜ ๋ฐฉํ™”๋ฒฝ(์‹ค์ œ ๋ฌผ๋ฆฌ ๋ฐฉํ™”๋ฒฝ 2๋Œ€)์œผ๋กœ ์—ฐ๊ฒฐ

      AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%207.png


1.4 VPN Performance

  • VGW 1๊ฐœ Tunnel ์€ 1.25Gbps Throughput ์„ฑ๋Šฅ์„ ๊ฐ€์ง

    โ†’ TGW ์˜ ECMP ๋ฅผ ์‚ฌ์šฉ ์‹œ ํ•˜์—ฌ Throughput ์„ฑ๋Šฅ ํ–ฅ์ƒ์„ ํ•  ์ˆ˜ ์žˆ์Œ


2. AWS VPN Site to Site with Static Route Lab Preview


2.1 Lab Topology

  • ์„œ์šธ, ์‹ฑ๊ฐ€ํด Region์— ๊ฐ๊ฐ AWS ํ™˜๊ฒฝ๊ณผ, IDC ํ™˜๊ฒฝ(๊ฐ€์ •)์œผ๋กœ ๊ตฌ์„ฑ

    • IDC ํ™˜๊ฒฝ์€ ์‹ค์ œ AWS ์˜์—ญ์ด ์•„๋‹ˆ๋ผ ์ผ๋ฐ˜ ๊ธฐ์—… ๋ฌผ๋ฆฌ๋ง์ด์ง€๋งŒ ์‹ค์Šต์˜ ํŽธ๋ฆฌ์„ฑ์„ ์œ„ํ•ด์„œ AWS ํ™˜๊ฒฝ์—์„œ ๊ตฌ์„ฑํ•จ

  • ์„œ์šธ Region ์€ AWS VGW๋ฅผ ๋ฐฐ์น˜ํ•˜๊ณ  Public Subnet ์— ํ…Œ์ŠคํŠธ ์šฉ๋„์˜ EC2๋ฅผ ๋ฐฐ์น˜ํ•จ

  • ์‹ฑ๊ฐ€ํด Region (IDCํ™˜๊ฒฝ)์€ VPN ์—ญํ• ์„ VYOS(์ปค๋ฎค๋‹ˆํ‹ฐAMI)๋กœ ํ•˜๋ฉฐ Private Subnet์— ํ…Œ์ŠคํŠธ ์šฉ๋„์˜ EC2๋ฅผ ๋ฐฐ์น˜ํ•จ

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%208.png

๐Ÿ’ก VYOS๋Š” ๋ฆฌ๋ˆ…์Šค(Debian) ๊ธฐ๋ฐ˜์— ๋ผ์šฐํŒ…, ๋ฐฉํ™”๋ฒฝ, VPN ๊ธฐ๋Šฅ์„ ์ œ๊ณตํ•˜์—ฌ VPN ์—ญํ• ๋กœ ์„ ํƒํ•จ. ์ฐธ๊ณ  ๋งํฌ


2.2 ๊ธฐ๋ณธ ์„ค์ •

  • ๋ณธ ์‹ค์Šต์—์„œ ํ™œ์šฉํ•  AWS Region์€ ์„œ์šธ, ์‹ฑ๊ฐ€ํด ์ž…๋‹ˆ๋‹ค. ํ•ด๋‹น Region์— ๋Œ€ํ•œ EC2-Key Pair๋ฅผ ์ƒ์„ฑ
  • ์‹œ๋“œ๋‹ˆ, ์ƒํŒŒ์šธ๋ฃจ Region ์— ๋ฆฌ์†Œ์Šค๋Š” CloudFormation์— ์˜ํ•ด 2.1 ๊ทธ๋ฆผ์˜ ์ธํ”„๋ผ๋ฅผ ์ž๋™ ๊ตฌ์ถ• (2.3ํ•ญ์—์„œ ์ง„ํ–‰)

2.3 CloudFormation (Infrastructure as Code)

์‹ฑ๊ฐ€ํด Region์—์„œ CloudFormation ์Šคํƒ์„ ์ƒ์„ฑํ•œ๋‹ค.
  • 1๋‹จ๊ณ„ ํ…œํ”Œ๋ฆฟ ์ง€์ •
    • ํ…œํ”Œ๋ฆฟ ์ค€๋น„ : ์ค€๋น„๋œ ํ…œํ”Œ๋ฆฟ
    • ํ…œํ”Œ๋ฆฟ ์†Œ์Šค : Amazon S3 URL
    • Amazon S3 URL : https://s3.ap-northeast-2.amazonaws.com/cloudformation.cloudneta.net/VPN/gasida_vpn_idc1.yaml
      • ์šฐ์ธก ํ•˜๋‹จ ๋‹ค์Œ ํด๋ฆญ
  • 2๋‹จ๊ณ„ ์Šคํƒ ์„ธ๋ถ€ ์ •๋ณด ์ง€์ •
    • ์Šคํƒ ์ด๋ฆ„ : VPN-IDC
    • KeyName : ์ž์‹ ์˜ EC2-Key Pair ๋ฅผ ์ง€์ •
      • ์šฐ์ธก ํ•˜๋‹จ ๋‹ค์Œ ํด๋ฆญ
  • 3๋‹จ๊ณ„ ์Šคํƒ ์˜ต์…˜ ๊ตฌ์„ฑ
    • ์šฐ์ธก ํ•˜๋‹จ ๋‹ค์Œ ํด๋ฆญ
  • 4๋‹จ๊ณ„ ๊ฒ€ํ† 
    • ์šฐ์ธก ํ•˜๋‹จ ์Šคํƒ ์ƒ์„ฑ ํด๋ฆญ
์‹ฑ๊ฐ€ํด Region์—์„œ CloudFormation ์Šคํƒ ์ƒ์„ฑ ์™„๋ฃŒ ํ›„ (5๋ถ„ ์ •๋„ ์†Œ์š”) ์ถœ๋ ฅ์—์„œ VYOSInstancePublicIP ์˜ ๊ฐ’(IP)๋ฅผ ํ™•์ธํ•œ๋‹ค.

AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/_2020-05-06__1.32.13.png

์„œ์šธ Region์—์„œ CloudFormation ์Šคํƒ์„ ์ƒ์„ฑํ•œ๋‹ค.
  • 1๋‹จ๊ณ„ ํ…œํ”Œ๋ฆฟ ์ง€์ •
    • ํ…œํ”Œ๋ฆฟ ์ค€๋น„ : ์ค€๋น„๋œ ํ…œํ”Œ๋ฆฟ
    • ํ…œํ”Œ๋ฆฟ ์†Œ์Šค : Amazon S3 URL
    • Amazon S3 URL : https://s3.ap-northeast-2.amazonaws.com/cloudformation.cloudneta.net/VPN/gasida_vpn_aws.yaml
      • ์šฐ์ธก ํ•˜๋‹จ ๋‹ค์Œ ํด๋ฆญ
  • 2๋‹จ๊ณ„ ์Šคํƒ ์„ธ๋ถ€ ์ •๋ณด ์ง€์ •
    • ์Šคํƒ ์ด๋ฆ„ : VPN-AWS
    • KeyName : ์ž์‹ ์˜ EC2-Key Pair ๋ฅผ ์ง€์ •
    • StaticRoutesOnlyForVPN : true โ† AWS VPN ์™€ IDC VPN ๊ฐ„ Static Route ์„ค์ •์„ ํ•  ์˜ˆ์ •์ด๋ฏ€๋กœ
    • VPCAWSCustomerGatewayIP : 54.255.135.113 โ† ์œ„ ์‹ฑ๊ฐ€ํด์—์„œ ์Šคํƒ ์ถœ๋ ฅ์—์„œ VYOSInstancePublicIP ๊ฐ’
      • ์šฐ์ธก ํ•˜๋‹จ ๋‹ค์Œ ํด๋ฆญ
  • 3๋‹จ๊ณ„ ์Šคํƒ ์˜ต์…˜ ๊ตฌ์„ฑ
    • ์šฐ์ธก ํ•˜๋‹จ ๋‹ค์Œ ํด๋ฆญ
  • 4๋‹จ๊ณ„ ๊ฒ€ํ† 
    • ์šฐ์ธก ํ•˜๋‹จ ์Šคํƒ ์ƒ์„ฑ ํด๋ฆญ
  • CloudFormation์— ์˜ํ•ด ์ƒ์„ฑ๋˜๋Š” ๋ฆฌ์†Œ์Šค๋Š” ์•„๋ž˜์™€ ๊ฐ™์œผ๋ฉฐ, ๊ฐ Region ๋ณ„ ์ •์ƒ์ ์œผ๋กœ ์ƒ์„ฑ๋˜์—ˆ๋Š”์ง€ ํ™•์ธํ•œ๋‹ค.
์‹ฑ๊ฐ€ํด CloudFormation ์ƒ์„ฑ ์ธํ”„๋ผ 
- VPC, 2 Subnet, IGW, 2 Route table
- EIP, VYOS EC2 Instance (eth0, eth1)
- Amazon Linux 2 EC2 Instance (Test์šฉ)
์„œ์šธ CloudFormation ์ƒ์„ฑ ์ธํ”„๋ผ 
- VPC, 2 Subnet, IGW, 2 Route table
- VGW, CGW, VPN Connection
- EIP, Amazon Linux 2 EC2 Instance (Test์šฉ)

๐Ÿ’ก ์‹ค๋ฌด์—์„œ์˜ AWS VGW ์™€ ์—ฐ๊ฒฐ ์‹œ IDC ์œ„์น˜ํ•œ VPN(์˜ˆ. VYOS)์„ค์ •์€ ๋ณดํ†ต โ€˜IDC ๋„คํŠธ์›Œํฌ(ํ˜น์€ ๋ณด์•ˆ) ์—”์ง€๋‹ˆ์–ดโ€™ ๊ฐ€ ์„ค์ •์„ ํ•˜๊ฒŒ ๋˜์–ด์„œ ๊ฐœ๋ฐœ์ž ๋ถ„๋“ค์˜ ๊ฒฝ์šฐ ์•„๋ž˜ Lab ๋”ฐ๋ผํ•˜๊ธฐ๊ฐ€ ์–ด๋ ค์šด ๋ถ€๋ถ„์ด ์žˆ๋‹ค. ๊ทธ๋ž˜์„œ VYOS ๊ด€๋ จ ์„ค์ •๊ณผ IDC1์— ๊ด€๋ จ ์„ค์ •์€ toggle โ€˜โ–ถ๏ธŽโ€™ ์ ‘์–ด ๋‘์—ˆ๋‹ค. ํ•„์š” ์‹œ toggle ํด๋ฆญํ•˜์—ฌ ์ƒ์„ธํžˆ ๋‚ด์šฉ์„ ๋ณด์‹œ๊ธฐ ๋ฐ”๋ž€๋‹ค. VYOS ๋‚ด์šฉ์„ ์ œ์™ธํ•œ AWS VPN ๊ด€๋ จ ์„ค์ • ๋‚ด์šฉ์„ ์œ„์ฃผ๋กœ ๋ณด์‹œ๋ฉด ๋œ๋‹ค.


2.4 ๊ฒ€์ฆ

  • ์‚ฌ์šฉ์ž PC์—์„œ ์‹ฑ๊ฐ€ํด VYOS Public IP ์ฃผ์†Œ๋กœ SSH ์ ‘๊ทผํ•œ๋‹ค. ์ถ”๊ฐ€๋กœ VYOS ์ธํ„ฐํŽ˜์ด์Šค ์„ค์ •์„ ํ•œ๋‹ค.

    • VYOS ์„ค์ • ๋ชจ๋“œ(conf) ๋กœ ์ง„์ž…ํ•ด์„œ VYOS eth1 IP(์Šคํƒ ์ถœ๋ ฅ VYOSInstanceINTERNALPrivateIP ํ™•์ธ)๋Š” ์„ค์ • ํ›„ ์ ์šฉํ•œ๋‹ค.

    • Private Subnet ์— ์žˆ๋Š” Test EC2 IP ๋กœ ping ๋ฐ SSH ์ ‘๊ทผํ•œ๋‹ค. ์ ‘์† ๊ณ„์ • root / qwe123

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      # ์ž์‹ ์˜ VYOSInstanceINTERNALPrivateIP ๋กœ SSH ์ ‘์†
      ssh -i '*EC2-Key Pair'* vyos@54.255.135.113
      ..

      # ํ•ด๋‹น AMI ์ด๋ฏธ์ง€๋Š” ๊ธฐ๋ณธ์ ์œผ๋กœ eth1 IP ๊ฐ€ ๋ฏธ์„ค์ • ๋˜์–ด ์žˆ๋‹ค
      vyos@ip-10-100-1-19:~$ show interfaces
      Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
      Interface        IP Address                        S/L  Description
      ---------        ----------                        ---  -----------
      eth0             10.100.1.19/24                    u/u
      eth1             -                                 u/u
      ..

      # VYOS ์„ค์ •๋ชจ๋“œ(conf)๋กœ ์ง„์ž…ํ•˜์—ฌ eth1์˜ IP๋ฅผ ์„ค์ • ํ›„ ์ ์šฉ๊ณผ ์ €์žฅ์„ ํ•œ๋‹ค
      vyos@ip-10-100-1-19$ conf
      vyos@ip-10-100-1-19# set interfaces ethernet eth1 address 10.100.100.210/24
      vyos@ip-10-100-1-19# commit
      vyos@ip-10-100-1-19# exit

      # VYOS์—์„œ ๋‚ด๋ถ€์— ์žˆ๋Š” EC2 ์ธ์Šคํ„ด์Šค๋กœ ping ํ…Œ์ŠคํŠธ๋ฅผ ํ•œ๋‹ค
      vyos@ip-10-100-1-19:~$ ping 10.100.100.252
      PING 10.100.100.252 (10.100.100.252) 56(84) bytes of data.
      64 bytes from 10.100.100.252: icmp_seq=1 ttl=255 time=0.600 ms
      ..

      # VYOS์—์„œ ๋‚ด๋ถ€์— ์žˆ๋Š” EC2 ์ธ์Šคํ„ด์Šค๋กœ SSH ์ ‘์† ํ™•์ธ์„ ํ•œ๋‹ค.
      vyos@ip-10-100-1-19:~$ ssh root@10.100.100.252

  • ์‚ฌ์šฉ์ž PC์—์„œ ์„œ์šธ EC2 Instance EIP ์ฃผ์†Œ๋กœ SSH ์ ‘๊ทผํ•œ๋‹ค. ์ ‘์† ๊ณ„์ • root / qwe123

    1
    ssh root@15.165.117.201

  • ์ฐธ๊ณ ๋กœ CloudFormation์— ์˜ํ•ด ๋ฆฌ์†Œ์Šค๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ์˜ฌ๋ผ์˜ค๊ธฐ ๊นŒ์ง€ ์•ฝ๊ฐ„์˜ ์‹œ๊ฐ„์ด ํ•„์š”ํ•˜๋‹ˆ ์ผ์ • ์‹œ๊ฐ„ ๋Œ€๊ธฐ๊ฐ€ ํ•„์š”ํ•˜๋‹ค.

๐Ÿ’ก ๋ณธ๊ฒฉ์ ์ธ ์‹ค์Šต์— ์•ž์„œ, Site to Site VPN ๋ฆฌ์†Œ์Šค๋Š” ์†Œ๋Ÿ‰์˜ ๊ณผ๊ธˆ์ด ๋ถˆ๊ฐ€ํ”ผ ํ•˜๋‹ค. (VPN ์—ฐ๊ฒฐ ์‹œ๊ฐ„ ๋‹จ์œ„ ์š”๊ธˆ ๋ถ€๊ณผ - ์‹œ๊ฐ„ ๋‹น $0.05 ๋“ฑ)
์ž์„ธํ•œ ์‚ฌํ•ญ์€ ์š”๊ธˆ ๋งํฌ๋ฅผ ์ฐธ๊ณ  ๋ฐ”๋ž€๋‹ค.


3. Configuration Site to Site VPN


3.1 ์„œ์šธ Region ์˜ VPN ์ •๋ณด ํ™•์ธ

  • VPN Tunnel 1 ๊ณผ Tunnel 2 ์˜ ์™ธ๋ถ€IP์™€ ๋‚ด๋ถ€IP CIDR์„ ํ™•์ธ ํ•œ๋‹ค.

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%209.png


3.2 ์„œ์šธ Region ์˜ ๊ณ ๊ฐ VPN ์žฅ๋น„ ์„ค์ •์„ ์œ„ํ•œ ๊ตฌ์„ฑ ๋‹ค์šด๋กœ๋“œ ํ›„ ์‹ฑ๊ฐ€ํด Region ์— VYOS ์— VPN Config ์„ค์ •

  • ๐Ÿ’๐Ÿปโ€โ™‚๏ธ VPN ๊ตฌ์„ฑ ๋‹ค์šด๋กœ๋“œ? AWS VGW ์— ์—ฐ๊ฒฐ๋˜๋Š” ๊ณ ๊ฐVPN ์žฅ๋น„(๊ณต๊ธ‰์—…์ฒด ๋ณ„)์˜ VPN ๊ด€๋ จ ์„ค์ •์„ AWS ์—์„œ ์ œ๊ณต

  • [AWS VPN ์‚ฌ์ดํŠธ ๊ฐ„ VPN ์—ฐ๊ฒฐ - ๊ตฌ์„ฑ ๋‹ค์šด๋กœ๋“œ] ์„ ํƒ ํ›„ Generic ์„ ํƒ ํ›„ ๋‹ค์šด๋กœ๋“œ

  • ๋‹ค์šด ๋ฐ›์€ config ํŒŒ์ผ ์ •๋ณด๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ์•„๋ž˜ ์ƒ˜ํ”Œ VYOS VPN Config ์— ๋ณ€๊ฒฝ ํ›„ VYOS ์— ์ ์šฉํ•œ๋‹ค

์ƒ˜ํ”Œ VYOS VPN Config 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'

set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '10'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'

set vpn ipsec site-to-site peer 'IPSec Tunnel #1 ์˜ Virtual Private Gateway IP' authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 'IPSec Tunnel #1 ์˜ Virtual Private Gateway IP' authentication pre-shared-secret 'IPSec Tunnel #1 ์˜ Pre-Shared Key'
set vpn ipsec site-to-site peer 'IPSec Tunnel #1 ์˜ Virtual Private Gateway IP' description 'VPC tunnel 1'
set vpn ipsec site-to-site peer 'IPSec Tunnel #1 ์˜ Virtual Private Gateway IP' ike-group 'AWS'
set vpn ipsec site-to-site peer 'IPSec Tunnel #1 ์˜ Virtual Private Gateway IP' local-address 'VYOS Eth0 IP (EIP๊ฐ€ ์•„๋‹˜)'
set vpn ipsec site-to-site peer 'IPSec Tunnel #1 ์˜ Virtual Private Gateway IP' vti bind 'vti0'
set vpn ipsec site-to-site peer 'IPSec Tunnel #1 ์˜ Virtual Private Gateway IP' vti esp-group 'AWS'

set interfaces vti vti0 address 'IPSec Tunnel #1 ์˜ Customer Gateway ์˜ Inside IP Addresses'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 mtu '1436'

set vpn ipsec site-to-site peer 'IPSec Tunnel #2 ์˜ Virtual Private Gateway IP' authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 'IPSec Tunnel #2 ์˜ Virtual Private Gateway IP' authentication pre-shared-secret 'IPSec Tunnel #2 ์˜ Pre-Shared Key'
set vpn ipsec site-to-site peer 'IPSec Tunnel #2 ์˜ Virtual Private Gateway IP' description 'VPC tunnel 2'
set vpn ipsec site-to-site peer 'IPSec Tunnel #2 ์˜ Virtual Private Gateway IP' ike-group 'AWS'
set vpn ipsec site-to-site peer 'IPSec Tunnel #2 ์˜ Virtual Private Gateway IP' local-address 'VYOS Eth0 IP (EIP๊ฐ€ ์•„๋‹˜)'
set vpn ipsec site-to-site peer 'IPSec Tunnel #2 ์˜ Virtual Private Gateway IP' vti bind 'vti1'
set vpn ipsec site-to-site peer 'IPSec Tunnel #2 ์˜ Virtual Private Gateway IP' vti esp-group 'AWS'

set interfaces vti vti1 address 'IPSec Tunnel #2 ์˜ Customer Gateway ์˜ Inside IP Addresses'
set interfaces vti vti1 description 'VPC tunnel 2'
set interfaces vti vti1 mtu '1436'

set protocols static interface-route 'VPN์œผ๋กœ ํ†ต์‹ ํ•ด์•ผ ๋  AWS VPN ๋‚ด๋ถ€ ๋Œ€์—ญ' next-hop-interface 'vti0'
set protocols static interface-route 'VPN์œผ๋กœ ํ†ต์‹ ํ•ด์•ผ ๋  AWS VPN ๋‚ด๋ถ€ ๋Œ€์—ญ' next-hop-interface 'vti1'

commit
save
๋ณ€๊ฒฝ ์ ์šฉ ํ•œ VYOS VPN Config โ†’ VYOS conf ๋ชจ๋“œ์— ๋ณต์‚ฌ ๋ถ™์—ฌ๋„ฃ๊ธฐ๋ฅผ ํ•œ๋‹ค 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
conf
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'

set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '10'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'

set vpn ipsec site-to-site peer '13.209.231.134' authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer '13.209.231.134' authentication pre-shared-secret 'bIben5l33KgXpzShJdwNKlO3rG3ryq01'
set vpn ipsec site-to-site peer '13.209.231.134' description 'VPC tunnel 1'
set vpn ipsec site-to-site peer '13.209.231.134' ike-group 'AWS'
set vpn ipsec site-to-site peer '13.209.231.134' local-address '10.100.1.19'
set vpn ipsec site-to-site peer '13.209.231.134' vti bind 'vti0'
set vpn ipsec site-to-site peer '13.209.231.134' vti esp-group 'AWS'

set interfaces vti vti0 address '169.254.191.154/30'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 mtu '1436'

set vpn ipsec site-to-site peer '15.164.154.116' authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer '15.164.154.116' authentication pre-shared-secret 'abs4CQtJ63ryaw9KaFiix12_us7Vje.r'
set vpn ipsec site-to-site peer '15.164.154.116' description 'VPC tunnel 2'
set vpn ipsec site-to-site peer '15.164.154.116' ike-group 'AWS'
set vpn ipsec site-to-site peer '15.164.154.116' local-address '10.100.1.19'
set vpn ipsec site-to-site peer '15.164.154.116' vti bind 'vti1'
set vpn ipsec site-to-site peer '15.164.154.116' vti esp-group 'AWS'

set interfaces vti vti1 address '169.254.213.202/30'
set interfaces vti vti1 description 'VPC tunnel 2'
set interfaces vti vti1 mtu '1436'

set protocols static interface-route '10.50.0.0/16' next-hop-interface 'vti0'
set protocols static interface-route '10.50.0.0/16' next-hop-interface 'vti1'

commit
save
exit

  • VPN ๊ด€๋ จ Tunnel, Interface , IP ๋ฅผ ํ‘œํ˜„

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%2010.png


4. Verify Site to Site VPN


4.1 ์„œ์šธ Region ์˜ VPN ์ •๋ณด ํ™•์ธ

  • VPN Tunnel 2๊ฐœ์˜ ์ƒํƒœ๊ฐ€ ์ •์ƒ ์ž‘๋™์„ ํ™•์ธ

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/_2020-05-06__3.26.50.png


4.2 ์‹ฑ๊ฐ€ํด Region ์˜ VYOS ์—์„œ VPN ์ •๋ณด ํ™•์ธ

Tunnel ์ธํ„ฐํŽ˜์ด์Šค(= vti0, vti1) ์ •๋ณด ํ™•์ธ ๋ฐ VPN ์ƒํƒœ ํ™•์ธ ๋ฐ ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ” ํ™•์ธ 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# VYOS ์˜ ๊ฐ€์ƒ์˜ ํ„ฐ๋„ ์ธํ„ฐํŽ˜์ด์Šค ์ •๋ณด๋ฅผ ํ™•์ธ
$ sh interfaces vti
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
vti0             169.254.191.154/30                u/u  VPC tunnel 1
vti1             169.254.213.202/30                u/u  VPC tunnel 2

# AWS ๋‚ด๋ถ€IP(ํ„ฐ๋„IP)์™€ ping ํ†ต์‹  ํ™•์ธ
$ ping 169.254.191.153
4 bytes from 169.254.191.153: icmp_seq=1 ttl=254 time=98.5 ms
$ ping 169.254.213.201
64 bytes from 169.254.213.201: icmp_seq=1 ttl=254 time=102 ms

# VYOS ์˜ VPN IPsec ์ƒํƒœ ์ •๋ณด ํ™•์ธ ๋ฐ ํ•ด๋‹น ํ„ฐ๋„์„ ํ†ตํ•œ ํŠธ๋ž˜ํ”ฝ ํ†ต๊ณ„ ํ™•์ธ
$ show vpn ipsec sa
Connection                      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-15.164.154.116-tunnel-vti  up       14m12s    0B/0B           0/0               15.164.154.116    N/A          AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer-13.209.231.134-tunnel-vti  up       14m12s    0B/0B           0/0               13.209.231.134    N/A          AES_CBC_128/HMAC_SHA1_96/MODP_1024

# VYOS ์žฅ๋น„์˜ ๋ผ์šฐํŒ… ํ…Œ์ด๋ธ”์„ ํ™•์ธ, AWS VGW์— ์—ฐ๊ฒฐ๋œ VPC๋Œ€์—ญ์— ๋Œ€ํ•œ ๋ผ์šฐํŒ… ์ •๋ณด ํ™•์ธ
$ sh ip route
..
S>* 0.0.0.0/0 [210/0] via 10.100.1.1, eth0, 02:02:04
S>* 10.50.0.0/16 [1/0] is directly connected, vti0, 00:00:06
  *                    is directly connected, vti1, 00:00:06
C>* 10.100.1.0/24 is directly connected, eth0, 02:02:05
C>* 10.100.100.0/24 is directly connected, eth1, 01:31:39
C>* 169.254.191.152/30 is directly connected, vti0, 00:17:41
C>* 169.254.213.200/30 is directly connected, vti1, 00:17:41
..

4.3 ์‹ฑ๊ฐ€ํด ๋‚ด๋ถ€ ๋Œ€์—ญ์˜ Route Table ์„ค์ •

[VPC - Route Tables] VPCIDC1 VYOS Internal Subnet Route Table ์„ ํƒ ํ›„ [๋ผ์šฐํŒ… ํŽธ์ง‘]์œผ๋กœ ์ถ”๊ฐ€

  • 10.50.0.0/16 , Network Interface โ†’ VYOS Eth1 ํ›„ ๋ผ์šฐํŒ… ์ €์žฅ

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/_2020-05-06__3.42.10.png


4.4 ์„œ์šธ Subnet์— Route Table ์„ค์ •

  • [AWS VPN ์‚ฌ์ดํŠธ ๊ฐ„ VPN ์—ฐ๊ฒฐ - (ํ•˜๋‹จ) ์ •์  ๋ผ์šฐํŒ…] ํŽธ์ง‘ ํ›„ 10.100.0.0/16 ํ›„ ์ €์žฅ

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/_2020-05-06__3.47.59.png

  • [VPC - Route Tables] VPCAWS Subnet Route Table ์„ ํƒ ํ›„ [๋ผ์šฐํŒ… ์ „ํŒŒ ํŽธ์ง‘]์œผ๋กœ ์ถ”๊ฐ€

    • ์ „ํŒŒ ์„ ํƒ ํ›„ ์ €์žฅ

      AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/_2020-05-06__3.44.45.png


4.5 ์ „์ฒด ๋ผ์šฐํŒ… ์ƒํƒœ ํ™•์ธ

  • ์„œ์šธ Region ๊ฒฝ์šฐ ์‹ฑ๊ฐ€ํด VPC๋Œ€์—ญ์ธ 10.100.0.0/16 ์„VGW ๋กœ ๋ณด๋ƒ„

    โ†’ ์ดํ›„ VGW ๋Š” VPN Tunnel ์„ ํ†ตํ•ด VYOS eth0 ์œผ๋กœ ๋ณด๋ƒ„

  • ์‹ฑ๊ฐ€ํด Region ๊ฒฝ์šฐ ๋‚ด๋ถ€๋Œ€์—ญ(10.100.100.0/24)์—์„œ ์„œ์šธ VPC๋Œ€์—ญ์ธ 10.50.0.0/16 ์„ VYOS eth1 ์œผ๋กœ ๋ณด๋ƒ„

    โ†’ ์ดํ›„ VYOS๋Š” 10.50.0.0/16 ์„ vti0, vti1 ์ฆ‰ VPN Tunnel ์„ ํ†ตํ•ด VGW ๋กœ ๋ณด๋ƒ„

    AWS%20VPN%20Site%20to%20Site%20with%20Static%20Route%2078d272b9998c46a4875aa9c090b80ccf/Untitled%2011.png


4.6 ํ†ต์‹  ํ™•์ธ

  • ์„œ์šธ EC2 ์—์„œ ์‹ฑ๊ฐ€ํด EC2 ๋กœ ping ํ†ต์‹ , ssh ์ ‘์†์„ ํ™•์ธ

    1
    2
    3
    4
    5
    6
    7
    8
    [root@ip-10-50-1-80 ~]$ ping -c 1 10.100.100.252
    PING 10.100.100.252 (10.100.100.252) 56(84) bytes of data.
    64 bytes from 10.100.100.252: icmp_seq=1 ttl=254 time=104 ms

    $ ssh root@10.100.100.252
    root@10.100.100.252's password:
    ..
    [root@ip-10-100-100-252 ~]#
์œ„ ping ํ†ต์‹  ์‹œ๋„ ์‹œ, VYOS ์—์„œ icmp ํŒจํ‚ท ํ™•์ธ 
1
2
3
4
5
vyos@ip-10-100-1-19:~$ sudo tcpdump -i any -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
06:57:58.578074 IP 10.50.1.80 > 10.100.100.252: ICMP echo request, id 32561, seq 1, length 64
06:57:58.578456 IP 10.100.100.252 > 10.50.1.80: ICMP echo reply, id 32561, seq 1, length 64

5. Delete Infrastructure

  • ์‹ฑ๊ฐ€ํด Region ์˜ CloudFormation Stack Delete
  • ์„œ์šธ Region ์˜ CloudFormation Stack Delete

Welcome to my other publishing channels