Skip to content

Latest commit

 

History

History

720-client-vpn

Overview

Setup and configure the AWS client Virtual Private Network (VPN) in the org-sagebase-transit account.

alt text

Setup AWS client VPN

We setup the AWS client VPN leveraging routes that were created by the transit gateway configuration.

Setup IDP

We federate users to the VPN with Jumpcloud SSO which allows users to login to the VPN with their Jumpcloud credentials. This will also allow us to manage VPC access thru Jumcploud user groups.

Setup Jumpcloud

We need to setup two SSO apps in jumpcloud because it does not support multiple ACS URLs. We need one SSO for the VPN connection and another one for the VPN self service portal.

Follow instructions to create a certificate using easy-rsa then import the certifcate to the AWS certificate manager

Create a transitvpn SSO app for VPN access:

  • SP Entity ID: urn:amazon:webservices:clientvpn
  • ACS URL: http://127.0.0.1:35001
  • Enable Declare Redirect Endpoint option
  • IDP URL: https://sso.jumpcloud.com/saml2/transitvpn
  • Attributes: FirstName=firstname, LastName=lastname, NameID=email
  • Enable Group Attributes option and set it to memberOf

Create a transitvpnssp SSO app for the VPN self service portal access:

  • SP Entity ID: urn:amazon:webservices:clientvpn
  • ACS URL: http://127.0.0.1:35001
  • Enable Declare Redirect Endpoint option
  • IDP URL: https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml
  • Attributes: FirstName=firstname, LastName=lastname, NameID=email
  • Enable Group Attributes option and set it to memberOf

Setup AWS SAML Providers

After setting up Jumpcloud SSO we can let org-formation deploy the _tasks.yaml file which will create the AWS SAML providers.

VPN Management

Setup Jumpcloud User Groups

The AWS VPN is integrated with Jumpcloud SSO. We can use JC to manage user group access to VPCs. The first step is to create JC user groups.

To create JC user groups:

  • Login to JC with admin role
  • Create a new JC User Group
  • Associate the new user group to JC SSO apps transitvpn and transitvpnssp alt text
  • Associate JC users to the user group.

Continue to the next section to setup VPN authorization for the newly created JC user group.

Configure VPN authorization

Once the JC user groups have been created we need to configure the VPN to allow the JC user groups access to specific VPCs.

Create a PR in this repo with the following changes to _tasks.yaml:

  1. Add a new entry to the Vpn.TemplatingContext.TgwSpokes dictionary.
  2. The CIDR is the VPC IP address that the VPN should allow access to.
  3. The AccessGroup value(s) must match a Jumpcloud defined User Group. This allows the Jumpcloud user group(s) access to a VPC defined by its CIDR.
  4. Review and merge PR

Once merged and deployed the VPN routes will be updated to route traffic from the hub VPC to the spoke VPCs. It will also allow the JC user groups authorization to access the VPC. Now the JC user group should have full access to resources in the VPC.

Note:

  • VPN users may get disconnected on this VPN update, the VPN client app should automatically reconnect once the operation is complete.
  • It is recommended to only add one VPC at a time which means you should split up your PRs to add one spoke VPC per PR.
  • The ServerCertificateArn parameter value should be the certificate that was created by easy-rsa and imported into the AWS cerfiticate manager.

VPN User Workflow

VPN users must use a VPN client to access cloud resources

  • Login to the Sage IT VPN portal
  • Download the VPN client configuration file
  • Download the AWS Client VPN application
  • Install and run the client VPN app
  • Load the configuration file into the VPN client:

File -> Manage Profiles -> Add Profile -> select the downloaded configuration file -> Add Profile -> Done

  • Now use the VPN client to connect

Once connected you should have access to cloud resources. Access to resources is managed in Jumpcloud with User Groups.

Contributions

Contributions are welcome.

Requirements:

  • Install pre-commit app
  • Clone this repo
  • Run pre-commit install to install the git hook.

Testing

As a pre-deployment step we syntatically validate our sceptre and cloudformation yaml files with pre-commit.

Please install pre-commit, once installed the file validations will automatically run on every commit. Alternatively you can manually execute the validations by running pre-commit run --all-files. Please install pre-commit, once installed the file validations will automatically run on every commit.

Issues

Secrets

  • We use the AWS SSM to store secrets for this project. Sceptre retrieves the secrets using a sceptre ssm resolver and passes them to the cloudformation stack on deployment.