Setup and configure the AWS client Virtual Private Network (VPN) in the org-sagebase-transit account.
We setup the AWS client VPN leveraging routes that were created by the transit gateway configuration.
We federate users to the VPN with Jumpcloud SSO which allows users to login to the VPN with their Jumpcloud credentials. This will also allow us to manage VPC access thru Jumcploud user groups.
We need to setup two SSO apps in jumpcloud because it does not support multiple ACS URLs. We need one SSO for the VPN connection and another one for the VPN self service portal.
Follow instructions to create a certificate using easy-rsa then import the certifcate to the AWS certificate manager
Create a transitvpn
SSO app for VPN access:
- SP Entity ID:
urn:amazon:webservices:clientvpn
- ACS URL:
http://127.0.0.1:35001
- Enable
Declare Redirect Endpoint
option - IDP URL:
https://sso.jumpcloud.com/saml2/transitvpn
- Attributes:
FirstName=firstname
,LastName=lastname
,NameID=email
- Enable
Group Attributes option
and set it tomemberOf
Create a transitvpnssp
SSO app for the VPN self service portal access:
- SP Entity ID:
urn:amazon:webservices:clientvpn
- ACS URL:
http://127.0.0.1:35001
- Enable
Declare Redirect Endpoint
option - IDP URL:
https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml
- Attributes:
FirstName=firstname
,LastName=lastname
,NameID=email
- Enable
Group Attributes option
and set it tomemberOf
After setting up Jumpcloud SSO we can let org-formation deploy the _tasks.yaml file which will create the AWS SAML providers.
The AWS VPN is integrated with Jumpcloud SSO. We can use JC to manage user group access to VPCs. The first step is to create JC user groups.
To create JC user groups:
- Login to JC with admin role
- Create a new JC User Group
- Associate the new user group to JC SSO apps
transitvpn
andtransitvpnssp
- Associate JC users to the user group.
Continue to the next section to setup VPN authorization for the newly created JC user group.
Once the JC user groups have been created we need to configure the VPN to allow the JC user groups access to specific VPCs.
Create a PR in this repo with the following changes to _tasks.yaml:
- Add a new entry to the
Vpn.TemplatingContext.TgwSpokes
dictionary. - The
CIDR
is the VPC IP address that the VPN should allow access to. - The
AccessGroup
value(s) must match a Jumpcloud definedUser Group
. This allows the Jumpcloud user group(s) access to a VPC defined by its CIDR. - Review and merge PR
Once merged and deployed the VPN routes will be updated to route traffic from the hub VPC to the spoke VPCs. It will also allow the JC user groups authorization to access the VPC. Now the JC user group should have full access to resources in the VPC.
Note:
- VPN users may get disconnected on this VPN update, the VPN client app should automatically reconnect once the operation is complete.
- It is recommended to only add one VPC at a time which means you should split up your PRs to add one spoke VPC per PR.
- The
ServerCertificateArn
parameter value should be the certificate that was created by easy-rsa and imported into the AWS cerfiticate manager.
VPN users must use a VPN client to access cloud resources
- Login to the Sage IT VPN portal
- Download the VPN client configuration file
- Download the AWS Client VPN application
- Install and run the client VPN app
- Load the configuration file into the VPN client:
File -> Manage Profiles -> Add Profile -> select the downloaded configuration file -> Add Profile -> Done
- Now use the VPN client to
connect
Once connected you should have access to cloud resources. Access to resources is managed in Jumpcloud with User Groups.
Contributions are welcome.
Requirements:
- Install pre-commit app
- Clone this repo
- Run
pre-commit install
to install the git hook.
As a pre-deployment step we syntatically validate our sceptre and cloudformation yaml files with pre-commit.
Please install pre-commit, once installed the file validations will
automatically run on every commit. Alternatively you can manually
execute the validations by running pre-commit run --all-files
.
Please install pre-commit, once installed the file validations will
automatically run on every commit.
- We use the AWS SSM to store secrets for this project. Sceptre retrieves the secrets using a sceptre ssm resolver and passes them to the cloudformation stack on deployment.