quick start guide: vyatta in amazon vpc and ec2
advertisement
QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA JANUARY 27, 2013 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 Introduction Amazon Virtual Private Cloud (VPC) allows you to create a private network that resembles a traditional network except that it is hosted in the Amazon Web Services Cloud (AWS). Vyatta can provide Internet connectivity using Amazon’s Elastic Public IP address. Figure 1 illustrates how Vyatta can be used to connect two separate VPCs or to connect to a VPC from another location over a VPN tunnel. This document is a quick start guide that describes the basic steps to create a single Amazon VPC with an Amazon EC2 Vyatta running as an Amazon Machine Instance (AMI). For a more detailed user guide refer to the current Vyatta documentation at http://www.vyatta.com/download/documentation. NOTE: This document assumes that you have signed up for an Amazon Web Services account (or an Amazon EC2 account). Figure 1 A Private Cloud hosted in Amazon Web Services Cloud using Amazon VPC The two main steps to instantiate Vyatta within the Amazon Web Services Cloud consists of: a. Use the Amazon VPC menu to create your VPC by choosing a Public and a Private IP address subnet for your network that will be hosted within the Amazon Cloud. 1 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 b. Use the Amazon EC2 menu to spin-up a virtual instance of Vyatta and hook it into the VPC that was created in Step A. NOTE: Both the VPC and the EC2 have to exist in the same region. Create the VPC The creation of the VPC consists of the following steps: a.Select a CIDR IP address block for your Private network b. Create a subnet within this address block c. Create an Internet Gateway for your VPC and associate it with the VPC d. Create a default route pointing to the Internet Gateway in the ‘Main’ routing table and associate the route table with the IP subnet that it was created for 1. Login to the AWS Management Console with your Amazon Web Services account (or EC2 account) credentials and selected ‘VPC’ from the menu of services. 2 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 2. Select a region to create a VPC (US West shown in this example). NOTE: Do not use the quick start Wizard since it creates a VPN with an Amazon EC2 instance. 3. Select the IP addressing scheme for your VPC in this section. In this example: 3 JANUARY 27, 2013 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 4. Click on ‘Your VPCs’ under the ‘Virtual Private Clouds’ and Click on ‘Create VPC.’ 5. Enter the CIDR block for your VPC and click ‘Yes, Create’ 4 JANUARY 27, 2013 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 This creates a VPC with a 10.8.0.0/16 CIDR block. 6. Next is to select ‘Subnets’ under ‘VIRTUAL PRIVATE CLOUDS’ and click on ‘Create Subnet.’ 5 JANUARY 27, 2013 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 7. This creates a private subnet within this VPC. 8. Select ‘Internet Gateway’ and create a gateway. An Internet gateway is created for this VPC (10.8.0.0/16). 9. Attach the Gateway to the VPC. Note the Gateway ID, which will be used to create the default route later. 6 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 10. Select Route Tables and create a default route for this VPC. The ‘Target’ is the Internet Gateway ID that was created earlier. Click ‘add’ to add the default route into the table. 11. Under the same route table, click on the ‘Associations’ tab and associate the route table with the subnet it was created for. 7 JANUARY 27, 2013 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 Launch Vyatta in the EC2 The creation of the Vyatta instance in EC2 consists of the following steps: a. b. c. d. e. Select the Vyatta image to launch Select the image size and subnet (VPC) that will contain this Vyatta instance Select the number of interfaces on the Vyatta router (one in this example) Assign a unique name to identify this instance Create a new security group with rules that allow ICMP and SSH to the Vyatta instance 1. To create a Vyatta instance in the EC2 Cloud, click on the ‘AMIs’ link under ‘Images’ section of the left navigation pane. Search for Vyatta with the options as shown below (Private Images, All Platforms, Vyatta). Once the ‘Vyatta’ Virtual Machine (VM) is running it can be associated with the VPC created earlier to provide firewall, NAT, VPN, and routing features as shown in Figure 1 above. Note: Do not use the ‘Launch Instance’ wizard to instantiate a ‘Vyatta’ AMI instance. 8 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 2. Select the desired Vyatta image and Click ‘Launch.’ 3. Select an instance size that is appropriate for the estimated workloads to run this Vyatta instance (micro is not supported). Launch the instance into the VPC that was created above (10.8.0.0/24) subnet. Click ‘Continue.’ 9 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 4. Create the Vyatta instance with one interface and select the IP address to be auto-assigned. Additional interfaces can be added later. 5. Click ‘Continue’ with the default storage device options. 10 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 6. Select a name for the AMI. 7. Select the option to ‘Create a new Key Pair.’ Download the key pair and use it to ‘ssh’ into the instance once the Vyatta instance is up and running. 11 JANUARY 27, 2013 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 8. Create a new Security Group and add rules to allow ‘SSH’ access to the Vyatta instance. Consider restricting the access to a trusted set of hosts. In this example, the Security Group contains rules to allow ‘SSH’ and ‘ICMP’ to the Vyatta instance. Click ‘Continue.’ 9. Review the AMI details and click ‘Launch.’ 12 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 10. Create a new Elastic IP, which is the Public IP that is required for external connectivity to this Vyatta instance. Click on ‘Elastic IP’ and associate it with the newly created Vyatta instance. Select the Vyatta instance and click ‘Yes, Associate.’ There is only one interface on the Vyatta instance which is the Primary Interface that will be associated with the Elastic IP. 13 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 The Elastic IP will now show the association to the Vyatta AMI instance in this VPC. Remote access to the Vyatta Instance Connection to the Vyatta instance using ‘SSH’ can be initiated from the ‘Actions’ menu and by providing the path to the ‘.pem’ file that was downloaded during the key generation: 14 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 Putty can also be used to establish a ‘SSH’ session to Vyatta. Use puTTY.gen to convert the .’pem’ key format to a ‘.ppk’ format. The ‘SSH’ connection can be established either to the public dns or to the elastic IP created earlier. Creating an additional interface on Vyatta 1. To create additional interfaces for Vyatta, stop the AMI instance first. Select the ‘Network Interfaces’ tab and click on ‘Create Network Interface’ to add the second interface in the appropriate subnet. This interface can be assigned to a different subnet if required (example 10.8.1.0/24). However, the new subnet will have to be created first. 15 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 The security group on the second interface can be set to a default or a restricted access since it will not be used to connect to the Vyatta AMI – only the primary interface is used for SSH access. 2. After the interface is created, click on ‘Attach’ to attach this interface to the Vyatta instance. 16 QUICK START GUIDE: VYATTA IN AMAZON VPC AND EC2 JANUARY 27, 2013 3. Restart the Vyatta instance after the interface has been attached. The command ‘show interfaces’ on the Vyatta instance will show the second interface that was created. 17
