quick start guide: vyatta in amazon vpc and ec2

advertisement
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA
JANUARY 27, 2013
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
Introduction
Amazon Virtual Private Cloud (VPC) allows you to create a private network that resembles a
traditional network except that it is hosted in the Amazon Web Services Cloud (AWS). Vyatta
can provide Internet connectivity using Amazon’s Elastic Public IP address. Figure 1 illustrates
how Vyatta can be used to connect two separate VPCs or to connect to a VPC from another
location over a VPN tunnel.
This document is a quick start guide that describes the basic steps to create a single Amazon
VPC with an Amazon EC2 Vyatta running as an Amazon Machine Instance (AMI).
For a more detailed user guide refer to the current Vyatta documentation at
http://www.vyatta.com/download/documentation.
NOTE: This document assumes that you have signed up for an Amazon Web Services account (or
an Amazon EC2 account).
Figure 1 A Private Cloud hosted in Amazon Web Services Cloud using Amazon VPC
The two main steps to instantiate Vyatta within the Amazon Web Services Cloud consists of:
a. Use the Amazon VPC menu to create your VPC by choosing a Public and a Private
IP address subnet for your network that will be hosted within the Amazon Cloud.
1
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
b. Use the Amazon EC2 menu to spin-up a virtual instance of Vyatta and hook it
into the VPC that was created in Step A.
NOTE: Both the VPC and the EC2 have to exist in the same region.
Create the VPC
The creation of the VPC consists of the following steps:
a.Select a CIDR IP address block for your Private network
b. Create a subnet within this address block
c. Create an Internet Gateway for your VPC and associate it with the VPC
d. Create a default route pointing to the Internet Gateway in the ‘Main’ routing table and
associate the route table with the IP subnet that it was created for
1. Login to the AWS Management Console with your Amazon Web Services account (or EC2
account) credentials and selected ‘VPC’ from the menu of services.
2
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
2. Select a region to create a VPC (US West shown in this example).
NOTE: Do not use the quick start Wizard since it creates a VPN with an Amazon EC2 instance.
3. Select the IP addressing scheme for your VPC in this section. In this example:
3
JANUARY 27, 2013
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
4. Click on ‘Your VPCs’ under the ‘Virtual Private Clouds’ and Click on ‘Create VPC.’
5. Enter the CIDR block for your VPC and click ‘Yes, Create’
4
JANUARY 27, 2013
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
This creates a VPC with a 10.8.0.0/16 CIDR block.
6. Next is to select ‘Subnets’ under ‘VIRTUAL PRIVATE CLOUDS’ and click on ‘Create Subnet.’
5
JANUARY 27, 2013
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
7. This creates a private subnet within this VPC.
8. Select ‘Internet Gateway’ and create a gateway. An Internet gateway is created for this VPC
(10.8.0.0/16).
9. Attach the Gateway to the VPC. Note the Gateway ID, which will be used to create the
default route later.
6
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
10. Select Route Tables and create a default route for this VPC. The ‘Target’ is the Internet
Gateway ID that was created earlier. Click ‘add’ to add the default route into the table.
11. Under the same route table, click on the ‘Associations’ tab and associate the route table
with the subnet it was created for.
7
JANUARY 27, 2013
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
Launch Vyatta in the EC2
The creation of the Vyatta instance in EC2 consists of the following steps:
a.
b.
c.
d.
e.
Select the Vyatta image to launch
Select the image size and subnet (VPC) that will contain this Vyatta instance
Select the number of interfaces on the Vyatta router (one in this example)
Assign a unique name to identify this instance
Create a new security group with rules that allow ICMP and SSH to the Vyatta instance
1. To create a Vyatta instance in the EC2 Cloud, click on the ‘AMIs’ link under ‘Images’ section
of the left navigation pane. Search for Vyatta with the options as shown below (Private
Images, All Platforms, Vyatta). Once the ‘Vyatta’ Virtual Machine (VM) is running it can be
associated with the VPC created earlier to provide firewall, NAT, VPN, and routing features
as shown in Figure 1 above.
Note: Do not use the ‘Launch Instance’ wizard to instantiate a ‘Vyatta’ AMI instance.
8
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
2. Select the desired Vyatta image and Click ‘Launch.’
3. Select an instance size that is appropriate for the estimated workloads to run this Vyatta
instance (micro is not supported). Launch the instance into the VPC that was created above
(10.8.0.0/24) subnet. Click ‘Continue.’
9
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
4. Create the Vyatta instance with one interface and select the IP address to be auto-assigned.
Additional interfaces can be added later.
5. Click ‘Continue’ with the default storage device options.
10
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
6. Select a name for the AMI.
7. Select the option to ‘Create a new Key Pair.’ Download the key pair and use it to ‘ssh’ into
the instance once the Vyatta instance is up and running.
11
JANUARY 27, 2013
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
8. Create a new Security Group and add rules to allow ‘SSH’ access to the Vyatta instance.
Consider restricting the access to a trusted set of hosts. In this example, the Security Group
contains rules to allow ‘SSH’ and ‘ICMP’ to the Vyatta instance. Click ‘Continue.’
9. Review the AMI details and click ‘Launch.’
12
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
10. Create a new Elastic IP, which is the Public IP that is required for external connectivity to
this Vyatta instance. Click on ‘Elastic IP’ and associate it with the newly created Vyatta
instance. Select the Vyatta instance and click ‘Yes, Associate.’ There is only one interface on
the Vyatta instance which is the Primary Interface that will be associated with the Elastic IP.
13
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
The Elastic IP will now show the association to the Vyatta AMI instance in this VPC.
Remote access to the Vyatta Instance
Connection to the Vyatta instance using ‘SSH’ can be initiated from the ‘Actions’ menu and by providing
the path to the ‘.pem’ file that was downloaded during the key generation:
14
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
Putty can also be used to establish a ‘SSH’ session to Vyatta. Use puTTY.gen to convert the .’pem’ key
format to a ‘.ppk’ format. The ‘SSH’ connection can be established either to the public dns or to the
elastic IP created earlier.
Creating an additional interface on Vyatta
1. To create additional interfaces for Vyatta, stop the AMI instance first. Select the ‘Network
Interfaces’ tab and click on ‘Create Network Interface’ to add the second interface in the
appropriate subnet. This interface can be assigned to a different subnet if required
(example 10.8.1.0/24). However, the new subnet will have to be created first.
15
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
The security group on the second interface can be set to a default or a restricted access since it
will not be used to connect to the Vyatta AMI – only the primary interface is used for SSH
access.
2. After the interface is created, click on ‘Attach’ to attach this interface to the Vyatta instance.
16
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2
JANUARY 27, 2013
3. Restart the Vyatta instance after the interface has been attached. The command ‘show interfaces’
on the Vyatta instance will show the second interface that was created.
17
Download