Launch an EC2 instance in your Amazon VPC and access it through your office Fortigate firewall
Today I was tasked with setting up a client who had a Fortigate 80C firewall with an IPSEC tunnel (using BGP routing) back to Amazon's datacentre using their VPC solution... the client went out on their own and signed up to Amazon (who can argue at $0.03/hour for a Win2k8 VPS server). Typically this wouldnt be our recommendation as latency is a key factor in network design and the fact the closest Amazon datacentre is in Singapore, (we're in Aus) it's not something we've looked into before.(average latency around 180ms).
At present the only regions capable of launching an EC2 (VPS) instance in the VPC(Virtual Private Cloud) are eastern America (North Virgnia) and western Europe (Ireland). My client originally had their server setup in Singapore (as latency from AU is much better), however this had to be moved to N.Virginia (terminated and reprovisioned) to make use of VPC. Latency to N.Virginia from Sydney sits between 200 and 300ms :(
The set up of the VPN (IPSEC tunnel) from the Fortinet Fortigate 80C unit was pretty much no different to that of a normal IPSEC tunnel, however there are a few key points to note:-
http://developer.amazonwebservices.com/connect/message.jspa?messageID=182651
http://developer.amazonwebservices.com/connect/thread.jspa?messageID=192992
Right now, I'm on a 3G tethered internet connection so can't upload pics just yet - however I will add shortly of what to expect to see in the Fortinet GUI config.
At present the only regions capable of launching an EC2 (VPS) instance in the VPC(Virtual Private Cloud) are eastern America (North Virgnia) and western Europe (Ireland). My client originally had their server setup in Singapore (as latency from AU is much better), however this had to be moved to N.Virginia (terminated and reprovisioned) to make use of VPC. Latency to N.Virginia from Sydney sits between 200 and 300ms :(
The set up of the VPN (IPSEC tunnel) from the Fortinet Fortigate 80C unit was pretty much no different to that of a normal IPSEC tunnel, however there are a few key points to note:-
- The tunnel uses BGP routing (so there for your firewall/router must support this).
- Amazon provide you with 2 x IPSEC configs for failover (where BGP comes into play).. I'm thinking the ADSL2 link on our side will fail before either of the links in the Datacentre, but I can see how it would be handy to a larger enterprise.
- They provide preconfigured CLI scripts for Cisco and JunOS devices, however with Fortinet and other units, you're on your own. Amazon forums were really quite helpful
- You are provided with 169.*.*.* /30 subnets for the IPs on the interfaces on the VPN. You must then advertise your internal subnet to the Amazon routers so routing works. This required a reboot of the Fortigate 80C firewall to get the remote server to recognize the clients office subnet, even though Phase1 and Phase2 of the tunnel were up and the routing table was showing it had picked up the routes being advertised from the Amazon datacentre. The subnet advertised (from the VPC config) came straight up.
- Your Firewall/VPN appliance must be able to establish an 'interface' type IPSEC tunnel as apposed to a policy based IPSEC tunnel (maybe if you created a loopback interface?)
- You do not use NAT on your outbound policies (traffic from the 169.*.*.* subnet will not get to your VPC).
http://developer.amazonwebservices.com/connect/message.jspa?messageID=182651
http://developer.amazonwebservices.com/connect/thread.jspa?messageID=192992
Right now, I'm on a 3G tethered internet connection so can't upload pics just yet - however I will add shortly of what to expect to see in the Fortinet GUI config.
so maybe I spoke too soon? The VPN is up but it seems like the remote host in Amazons EC2 may not be keeping BGP routes. Every 20 -60 seconds pings to the remote host time out, however pings to the 169 address on the other side of the VPC are consistently connected.. I tried setting a static IP on the host and disabling dead peer detection, but so far no joy!
ReplyDelete