... This article is not complete and will be continued later ...
We use Amazon Virtual Private Cloud (VPC) to serve our product from Database, Application, Cache, Logstash, Autoscaling and more.
But we have additional requirement where the application has to run in local machine or network of each regions, like diagram below:
The new architecture must support the following rules:
1) Each local computer is accessible through private network.
For example local Jakarta (192.168.123.110) can SSH Local New York with its private IP (126.96.36.199) or local Riyadh (10.20.30.40) can open application in browser by using local Delhi Private IP (10.10.230.10)
2) Application in local computer can access database in local EC2.
**Our database is not open for public, it only can be accessed between EC2 subnet only (private network). we need to create replication and failover DB where the master will be in local but sync automatically to EC2 DB. In case, EC2 is shutdown the application can work or if there is force major issue in local, we still have backup in the cloud and cloud **
3) Application logs need to send to Logstash server
We use logstash to centralize and generate report from application activities, but logstash is not open for public, it only authorize local EC2 subnet
4,5,6 and many more that i dont need to tell all here.
Luckily amazon has provide the concept here, but how to implement that from scratch ?
We need Virtual Private Network (VPN) server that have internet connection for each region include the AWS VPC (we will use EC2 for VPN) and must have static public IP and local IP.
I use openswan to run in ubuntu server as VPN.
apt-get -y update apt-get -y install openswan
if you see pop-up, you can click 'NO' and then 'OK', you don't need to restart after installation
Edit the ip tables by pasting basic codes below (you can edit per requirement)
iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -A POSTROUTING -j MASQUERADE
Back current ipsec.conf then create new one:
mv /etc/ipsec.conf /etc/ipsec.conf.default vim /etc/ipsec.conf
copy paste basic ipsec.conf below:
version 2.0 config setup protostack=netkey nat_traversal=yes virtual_private= oe=off include /etc/ipsec.d/*.conf
Note: you can strict virtual_private list like %v4:172.16.0.0/12 or %v4:!10.1.1.0/24, but if you not sure, you can leave it blank more detail about ipsec.conf
Create more ipsec configuration in folder ipsec.d. The configuration files below are for connecting Indonesia VPN to EC2, Saudi Arabia, United State and India.
here is the basic configuration:
conn indonesia-to-ec2 type=tunnel authby=secret left=%defaultroute leftid=<current-machine-ip-public> leftnexthop=%defaultroute leftsubnet=<current-machine-subnet>/<cidr> right=<target-ip-public> rightsubnet=<target-subnet>/<cidr> pfs=yes auto=start
conn indonesia-to-ec2 type=tunnel authby=secret left=%defaultroute leftid=188.8.131.52 leftnexthop=%defaultroute leftsubnet=192.168.123.0/24 right=184.108.40.206 rightsubnet=172.30.0.0/16 pfs=yes auto=start
- CIDR is cluster internet domain routing, you can learn more from [wiki](http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)
- To get local subnet , you can use ifconfig then find inet address from eth0 or en0 or en1, if you see the diagram, the private ip is 192.168.123.234, then your subnet can be 192.168.123.0/24 or 192.168.0.0/16
After that you need to create all connection configuration to all regions, indonesia-to-saudi-arabia.conf, indonesia-to-united-state.conf, indonesia-to-india.conf
/etc/sysctl.conf and add or edit configuration below:
net.ipv4.ip_forward=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0
After that run the following orders:
sysctl -p /etc/sysctl.conf ipsec verify
once you run
ipsec verify make sure you will not get any [FAILED] or red warning. Then restart your ipsec
service ipsec restart service ipsec status
You will get 0 tunnel running but your process is already made. Now you have to create the same process to all VPN servers. Once you done, every server will have running tunnels.
If every thing is working correctly, you can ping each VPN server to their local ip.
... to be continued...