Connecting Multiple VPCs with Astaro Security Gateway

Articles & Tutorials>Amazon EC2>Connecting Multiple VPCs with Astaro Security Gateway
To achieve a higher level of availability and redundancy, Amazon Web Services (AWS) customers can deploy their applications and services across multiple regions. While it is simple for Amazon Elastic Compute Cloud (Amazon EC2) instances to communicate with each other across regions over the Internet, enabling cross-region communication within a Virtual Private Cloud (VPC) environment requires additional configuration. While AWS current does not provide an end-to-end, cross-region VPC connectivity solution, customers can achieve this on their own with third-party virtual private network (VPN) solutions. This whitepaper describes how customers can leverage the Astaro Security Gateway Amazon Machine Image (AMI) to establish cross-region VPC connections between EC2 instances in one region and a VPC virtual private gateway (VGW) in another region.

Details

AWS Products Used: Amazon EC2, Amazon VPC
Created On: October 11, 2012 8:06 PM GMT
Last Updated: September 4, 2013 6:51 PM GMT

Connecting Multiple VPCs with Astaro Security Gateway

Topics

Overview

To achieve a higher level of availability and redundancy, Amazon Web Services (AWS) customers can deploy their applications and services across multiple regions. While it is simple for Amazon Elastic Compute Cloud (Amazon EC2) instances to communicate with each other across regions over the Internet, enabling cross-region communication within a Virtual Private Cloud (VPC) environment requires additional configuration. While AWS current does not provide an end-to-end, cross-region VPC connectivity solution, customers can achieve this on their own with third-party virtual private network (VPN) solutions. This article describes how customers can leverage the Sophos UTM Amazon Machine Image (AMI) to establish cross-region VPC connections between EC2 instances in one region and a VPC virtual private gateway (VGW) in another region.


Figure 1 - High-level cross-region Sophos UTM-to-VGW architecture

Considerations

  1. Sophos UTM is a third-party commercial product with multiple licensing and support options. The functionality described in this document is offered by Sophos UTM in a pay-by-the-hour as well as bring-your-own-license licensing models.
  2. The Sophos UTM EC2 instance is a potential single point of failure. Please see the Appendix A for a high-level High Availability design for this component.
  3. This guide assumes you already have two VPCs in separate regions created (or two VPCs within the same region). For instructions on creating VPCs, please see the Amazon Virtual Private Cloud Getting Starting Guide.
  4. The VPCs must not have overlapping IP address ranges.
  5. In this scenario, AWS is responsible for managing the Internet gateway and virtual private gateway on behalf of the customer. The customer is responsible for launching and managing the Sophos UTM Instance(s) and implementing some sort of HA design if required (see the Appendix A for a high-level HA design).
  6. The previous name of the Sophos UTM product was Astaro Secure Gateway (or ASG for short). In this scenario, we are using Sophos UTM exclusively in the text, but on some screenshots and in some other documentation you may see the name "Astaro Secure Gateway". Just remember that both "Astaro Secure Gateway" and "Sophos UTM" represent the same product, with "Sophos UTM" being the latest name.

Amazon Virtual Private Network Components

Please reference the Amazon Virtual Private Cloud Network Administrator Guide for complete VPC networking documentation; however, Figure 1 and following definitions may be helpful for understanding the content of this article:

Virtual Private Gateway (VGW)

A VGW is an egress point from a customer's VPC that will establish a hardware VPN connection with a customer gateway. In this scenario, the VGW will provide VPN connectivity for one VPC, while the Sophos UTM instance will provide connectivity for the other VPC.

Customer Gateway (CGW)

A CGW is the anchor on the customer's side of the VPN connection. In this scenario, it will be the Sophos UTM instance in one VPC, communicating with the VGW in the other VPC.

Sophos UTM Instance

Sophos provides a virtual firewall/VPN appliance called the Sophos Unified Threat Management (UTM) that ships with an out-of-the-box VPC connector. As mentioned above, Sophos UTM provides 64-bit AMIs supporting a pay-by-the-hour as well as bring-your-own-license licensing models.

Internet Gateway (IGW)

The IGW is an egress point from a customer's VPC that will map a public Elastic IP address to the Sophos UTM EC2 instance, allowing the Sophos UTM instance in one VPC to communicate with the VGW in the other region.

VPN Connection

A VPN connection is used to describe the network connectivity that is established between the Sophos UTM EC2 instance and the VGW.

VPN Tunnels

The high-level architectural in Figure 1 shows two lines between the Sophos UTM instance and VGW because the VPN connection consists of two tunnels. AWS chose this design to provide increased availability for the Amazon VPC service by automatically failing over from one tunnel to another in the event of an AWS device failure. The Sophos UTM automatically configures and manages these tunnels for you.

Cross-Region Setup

In this walkthrough, we will perform the following steps:

  1. Launch an Sophos UTM instance
  2. Create and configure a VGW
  3. Configure the Sophos UTM instance
  4. Configure VPC route tables
  5. Test connectivity

Sophos UTM Instance Setup

In your first VPC (US-East in this example), perform the following steps to launch your Sophos UTM instance:

  1. Launch an Sophos UTM instance in your public subnet (the subnet that routes to the Internet Gateway - igw-xxx). You can launch the Sophos UTM instance directly from the AWS Marketplace, using either a pay-by-the-hour or bring-your-own-license AMI.

    Alternatively, you can search for "sophos" in the Marketplace tab of the EC2 Launch wizard:

    Make sure to associate your instance with the SSH KeyPair - you will need if you have to change the default port on which Sophos UTM WebAdmin is listening (see Appendix B for more details)

    .

    Additionally, we recommend assigning a static private IP address to the instance to ensure that this gateway's IP address will remain constant.

    Sophos also provides a video guide here. When creating your instance, Sophos recommends that you create a new security group that grants full access to all TCP and UDP ports (for more information, please go to the Security Group in the Amazon Elastic Cloud Compute User Guide). You will also need to make sure you create your instance in a subnet that routes Internet traffic to a VPC Internet gateway.

  2. Disable Source Destination Checking for the instance so that traffic can pass through the instance.

  3. Create an EIP for your Sophos UTM instance and attach it. Note this EIP. You will need it to configure your VPC customer gateway and to log into your Sophos UTM to configure the VPN connection and firewall settings.

VGW Configuration

In the VPC in the other region (US-West in this example), perform the following steps to setup your VGW:

  1. Create a virtual private gateway and attach it to your VPC. For additional instructions on this step, go to Adding a Hardware Virtual Private Gateway to Your VPC in the Amazon Virtual Private Cloud User Guide.

  2. Create a customer gateway using the EIP you created in the previous section for your Sophos UTM instance.

  3. Create a VPN connection between the customer gateway you just created and the virtual private gateway created in step 1.

  4. Once the VPN connection is created, you will need to download the configuration for Sophos UTM.

  5. After you download this configuration file, you will need to modify it by replacing the EIP of your Sophos UTM instance with its private IP. This is required before you can upload the configuration to your Sophos UTM. In the example below, we used a text editor and replaced the EIP of 46.51.200.122 with the internal IP address of 172.16.0.5.

Configure Sophos UTM Instance

  1. Log in to your Sophos UTM instance, and set up the VPN and Firewall connections. Open a web browser and go to https://<Your EIP>:4444/. Note: in some locations, port 4444 may be blocked due to IT security policies. In order to work around this, you will need to change the port on which Sophos UTM WebAdmin is listening for connections. See Appendix B for details on how to do this.

  2. Navigate to Site-to-Site VPN on the left navigation bar, click Amazon VPC, and then the Setup tab. From here, you will upload the VPC configuration file that you downloaded and modified in the previous step.

  3. After uploading the configuration file and enabling the Amazon VPC connection, you should see Sophos UTM report the VPC Tunnel status indicating that the connection was established through both VPN tunnels.

  4. Finally create an Any-Any-Any Firewall rule to allow communication in both directions through the VPN connection that you established in the Network Security Configuration.

    Make sure you enable your firewall rule after creation. You may also want to enable ICMP and traceroute traffic in the ICMP tab of the Sophos UTM gateway configuration in order to help you verify and troubleshoot network connectivity issues. Temporarily removing firewall constraints makes it easier to troubleshoot connection, if necessary. Once the connection is established, you'd want to introduce security constraints though, either by using AWS Security Groups or firewall rules in Sophos UTM, or both.

Configure VPC Route Tables

  1. For the VPC to leverage the Sophos UTM instance, configure your VPC subnet routing to point all traffic for the remote region to your Sophos UTM instance. In this example, the remote VPC uses the 172.16.0.0/16 range and the Sophos UTM instance-id is i-0b61a7bc:

  2. For the VPC to leverage the VGW, configure your VPC subnet routing to point all traffic for the other VPC to your VGW. In this example, the remove VPC uses the 10.0.0.0/0 range and the VGW ID is vgw-2928cf40:

Test Configuration

  1. Connect to an instance in VPC 1 and ping an instance in VPC 2. Please go to Launch an Instance in the Amazon Virtual Private Cloud Getting Started Guide for information about launching and connecting to Amazon VPC instances.

Appendix A: High-Level High Availability Architecture for Sophos UTM

Creating a fully redundant VPC connection between VPCs in two regions requires the setup and configuration of two Sophos UTM instances and a monitoring instance to monitor the health of the Sophos UTM instances.

We recommend configuring your VPC route tables to leverage both Sophos UTM devices simultaneously by directing traffic from all of the subnets in one Availability Zone through an Sophos UTM device in the same Availability Zone, and all traffic from subnets in another Availability Zone use an Sophos UTM device in their Availability Zone. Each Sophos UTM instance will then provide cross-region connectivity for instances that share the same Availability Zone to the Amazon VGW in the other region.

Sophos UTM Monitoring Instance

The Sophos UTM Monitor is a custom instance that you will need to create and develop monitoring scripts to run on. This instance is intended to run and monitor the state of the VPN connection and Sophos UTM instances. If either Sophos UTM instance goes down, the monitor will need to stop or terminate and restart the Sophos UTM instance while also re-routing traffic from one subnet to the working Sophos UTM instance until both connections are functional. High Availability for Amazon VPC NAT Instances: An Example provides an example of a script that could be modified to run on a monitoring instance and preform this function.

.

Appendix B: Changing the default port of the Sophos UTM WebAdmin

Some IT security policies may prevent you from accessing Sophos UTM WebAdmin on its default port (4444). In order to work around this limitation, you'll need to log into the Sophos UTM instance using secure shell (SSH) interface first and use Sophos UTM command-line interface to change this port number to a standard HTTPS port (443). Here's how:

  1. Ensure that the security group associated with your Sophos UTM instance allows inbound SSH traffic.
  2. SSH into the Sophos UTM box, using its EIP. This will automatically direct you into Sophos command-line interface. When you are connecting for the first time, you will be prompted for initial registration information (i.e. Basic Setup). Most of this information will not affect the working of your Sophos UTM instance, but a few bits are important to set right and remember for the future:
    • Use Sophos box public DNS as the hostname. Sometimes the console won't show a public DNS for a box with EIP (although it *is* actually assigned). The format of it is pretty straightforward though and you can figure out it by yourself if you know the EIP: ec2-..compute.amazonaws.com (for example: ec2-54-213-43-108.us-west-2.compute.amazonaws.com for a box with EIP of 54.213.43.108).
    • Enter (and remember!) the webadmin password - you'll use it later in the actual WebAdmin GUI.
  3. After you're done with the registration information, you'll enter the Sophos UTM command-line interface. Here's the series of steps necessary to change the default port of the Sophos UTM WebAdmin:
    1. Enter the MAIN mode.
    2. Enter the webadmin screen (all lower case; tab completion works).
    3. Enter the port$ variable name (with the dollar sign; again, tab completion works).
    4. Enter the =443 (with the equal sign in front and now space) to change the default port value to a standard HTTPS port number (which is normally allowed by all IT policies).

  4. Exit out of SSH if you wish.
  5. Test the result by going to the Sophos UTM WebAdmin GUI:
    1. Use https://<EIP>:443 or https://<Public DNS>:443. The EIP or Public DNS are those of your Sophos UTM instance. Your browser is likely to complain about certificate authenticity because it is self-signed - just accept the security exception.
    2. Enter admin as user name (all lower case).
    3. Enter the password you entered (and remembered :-) during the SSH session.

Appendix C: Configuring BGP to advertise the local CIDR range

By default, your Sophos UTM instance will advertise the CIDR range of "Any Network": 0.0.0.0/0. If it is the only remote VPC connected to a VGW, this may work just fine. But if you have several remote VPCs connected to a single VGW (configuration known as CloudHub), you will need to be more specific. The process of configuring Sophos UTM to advertise specific CIDR range is made of two three large steps:

  1. Create a network representing your CIDR range via Sophos WebAdmin UI
  2. Configure BGP to advertise this network via Sophos command line tool
  3. Reset AWS VPC connection
Below we provide a step-by-step way of doing this:
  1. Create a network representing your CIDR range via Sophos WebAdmin UI

    1. Go to the Definitions & Users top-level menu, select Network Definitions sub-menu and click on the [New network definition] button:

    2. Enter a name (for example, "MyVPC"), the starting IP of the CIDR range (for example 172.31.0.0) and the netmask (for example /16 (255.255.0.0) ). Optionally, enter a description. Click [Save].

    3. You now should be able to see your newly added network in the list of networks defined within your Sophos UTM:

  2. Configure BGP to advertise this network via Sophos command line tool

    1. SSH into your Sophos UTM box
    2. Switch to the RAW mode
    3. Enter lock_override command
    4. Switch to the OBJS mode
    5. Enter bgp configuration sub-mode
    6. Enter amazon_vpc section
    7. Enter REF_BgpAma1 to view the configuration of the first link
    8. This series of commands will look something like this:

    9. As you can see, this BGP link is currently advertising "Any Network", i.e. 0.0.0.0/0 range. We'll need to change that.
    10. Press [TAB] key twice in a row - this will show the list of defined networks. You should see the network you defined in Step 1 listed there as well (under a slightly modified REF name):

      We'll set the network property of this BGP link to advertise our network instead of "any network"
    11. Assign the value of the REF name of your network to the network property of this BGP link (for example: network=['REF_NetNetMyvpc'])
    12. Type w and press [ENTER] to write this configuration and make it permanent. This sequence of commands should look something like this:

    13. Enter .. to exit out of this BGP link and then REF_BgpAma2 to enter the second link
    14. Reassign the network property of this link to the same value and make it permanent:

  3. Reset AWS VPC connection

    1. Go back to the Sophos WebAdmin UI
    2. Select the "Site-to-Site VPN" menu and within it, "Amazon VPC" sub-menu.
    3. Click on the green "switch" button in the upper right to turn off the VPN. And then click on that "button" again to turn it back on:

  4. If you now go back to your other VPC and enable route propagation (or if it is already enabled), you should see the right CIDR range being propagated via VGW.

©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.