aws:vpc-inbound-routing-single-interface

VPC Inbound Routing Single Interface

VPC Inbound Routing Single Interface

This deployment allows the use of a VyOS instance to control access to an Apache instance via VPC inbound routing. With this deployment you can still use the public IP or EIP to access the Apache instance. I also have a multiple interface version of this available. I am also working on creating a CloudFormation template that will deploy this.

AWS, Routing, VyOS

Requirements

You will need access to an AWS account that grants you permissions to be able to make and modify the following;

VPC
Subnets
Route tables
Internet Gateway
Security Group
Instances from community AMIs or AWS Marketplace

Deployment Rundown

Create VPC
Create two subnets and configure to auto assign public IPs
Create three route tables
Create IGW
Associate public subnet with outbound public route table
Associate filtered public subnet with filtered public route table
Associate VPC edge with inbound IGW route table
Add 0.0.0.0/0 route to outbound public route table pointing to IGW
Configure Security Group to allow inbound traffic from Apache instance (or filtered public subnet) and management IPs
Launch VyOS instance in public subnet and associate security group (EIP can be used if desired)
Disable Source / Destination check on VyOS instance
Add 10.0.1.0/24 route to inbound IGW route table pointing to VyOS instance
Add 0.0.0.0/0 route to filtered public route table pointing to VyOS instance
Launch test instance in filtered public subnet, associate security group, and verify connectivity (EIP can be used if desired)
Access VyOS instance and create firewall rule to test limiting access to test instance

Known Issues / Limitations

Below is a list of known issues and limitations with this implementation.

This works for me and has only been tested in my environment
Minimal error checking is being used
Installation, deployment, and configuration are done manually
Only a single availability zone is used, but this can be easily expanded to multiple AZs
No automated failover / recovery and been designed

Diagram

Download diagram

Security Group Configuration

In this deployment a single security group was used. The security group was self referencing and allowed all traffic between members of the security group and a few other ports for management and testing.

Direction	Protocol	Port	Source / Destination
Inbound	Any	*	Security Group
Inbound	TCP	22	Management IP
Inbound	TCP	80	Management IP
Inbound	TCP	443	Management IP
Outbound	Any	*	0.0.0.0/0

VyOS Configuration

The following configuration was used for testing that inbound traffic to the Apache server was passing through the VyOS instance.

configure
set firewall name to_filtered default-action 'accept'
set firewall name to_filtered rule 100 action 'drop'
set firewall name to_filtered rule 100 destination address '10.0.1.0/24'
set firewall name to_filtered rule 100 destination port '80'
set firewall name to_filtered rule 100 protocol 'tcp'
set firewall name to_filtered rule 100 source address '50.60.70.80/32'
set interfaces ethernet eth0 firewall in name 'to_filtered'
commit
save

CloudFormation Template

The following CloudFormation template can be used to deploy a VPC inbound routing test environment in US-East-1 or US-East-2. Other regions will work if the template is modified to include the mapping for the VyOS free community edition AMI. The template will configure the VyOS instance to block HTTP traffic to the filtered public subnet and enable outbound NAT for a private subnet that is also created. There are also options to deploy test HTTP servers in either, or both, the filtered public subnet and the private subnet.

https://files.nerdydrunk.info/cloudformation-templates/cfn-template-vpc-inbound-routing-vyos-single-az.yaml