Access your private network from real mobile devices using AWS Device Farm
Testing a mobile or web app on a real device often requires a secure connection to private endpoints. These endpoints are often hosted on AWS inside a VPC, on-premises, a cloud provider, or a mix of those configurations. In addition, you may want the host machines, to which your devices are connected, to be able to access private endpoints. For example, a common scenario is an unreleased version of your app is accessing the staging environment and the tests are accessing internal packages only accessible via your private network. With the launch of support for VPC-ENI based connectivity on AWS Device Farm, you can now easily connect your private devices and the test hosts on Device Farm to non-public endpoints.
The new VPC connectivity supports multiple types of traffic such as TCP, UDP, web sockets, and streaming. This enables different types of apps installed on private devices to easily communicate with private endpoints without needing a separate configuration for each endpoint.
Until recently, communication with private endpoints was achieved through the existing Amazon VPC endpoint service private link connection on Device Farm. In contrast, the ENI based approach significantly improves the setup and connection time, adds support for all traffic types, reduces the limitations on number of private endpoints you can connect to, eliminates the need for an explicit host proxy and device proxy settings for use cases that required it, and expands the IP subnets supported. You can now directly configure the VPC settings on a project level and have all the runs under that project use the same VPC settings.
In this blog, you will understand the architecture of this feature and walk through a hands-on example of connecting to a web application that is hosted in AWS VPC in the us-west-2 region.
The following diagram, shows the high-level architecture of the VPC-ENI feature:
Figure 1: High-level architecture and traffic flow
Your tests run in the fully managed service infrastructure inside the Device Farm service VPC in the AWS us-west-2 region. When you configure your Device Farm project with VPC settings and start a test session, it creates an Elastic Network Interface (ENI) in your VPC. The ENI is attached to one of the subnets that you provide as an input in your VPC settings. This network interface enables access from your Device Farm test runs to your private resources.
The Device Farm VPC connectivity feature can only directly connect to a VPC in the us-west-2 region. However, if your final endpoint is not hosted in the us-west-2 region, you can use any of the cross-region VPC connectivity options such as VPC peering, transit gateway, and VPN to reach the intended service. Device Farm does not impose any restrictions on what you can do outside of the VPC in us-west-2.
Note, that if your VPC in us-west-2 needs to reach the internet then you would need a public facing NAT Gateway in that VPC. Deploying a NAT Gateway in your VPC may incur additional charges that are separate from the Device Farm pricing.
Before you use this feature from your AWS account, ensure that you have following resources set up:
- An AWS account.
- An active subscription to Private Devices in Device Farm.
- An Amazon VPC with one or more private subnets in us-west-2 region of AWS.
- NAT Gateway [Optional]: If your internal application requires access to the internet, these public resources must be accessible from within your VPC or through the NAT Gateway.
Here are the implementation steps:
- Launch a non-public web application running on an EC2 instance inside a VPC in AWS us-west-2 region.
- Create a Device Farm project with VPC Settings.
- Update Security group of your EC2 instance for ingress from Device Farm ENI.
- Start a remote access session on a private device.
- Access your internal web application from remote access session.Note, all the infrastructure of AWS Device Farm is hosted only in us-west-2 region. Thus, you should create the required resources in the AWS us-west-2 region.
Launch a non-public web application inside a VPC in AWS us-west-2 region:
For this post, you are using an Amazon EC2 instance operating inside a private subnet of an Amazon VPC to host a sample web application.
- To create a VPC and other resources such as subnets, route tables, internet gateway(optional), and NAT gateway (optional) follow the instructions here. Ensure that the subnet is associated with a route table that doesn’t have a route to an internet gateway.
Note: It is strongly suggested to have more than one subnets in your VPC to ensure high availability. This is true for use cases outside of the example in this post.
- To launch an EC2 instance, follow the steps below. A detailed documentation for launching an EC2 instance can also be found here.
a. In the Application and OS Images (Amazon Machine Image), choose a free tier Amazon Linux AMI and instance type as t2.micro.
b. Select or create the key pair to securely connect to your instance.
c. Edit the network settings section and select the VPC which you have created as a part of prerequisites. In the Subnet dropdown, select the private subnet.
d. Disable the auto-assign public IP option.
e. Next edit the Firewall (security groups) section. Choose Create Security Group option and provide a suitable name.
f. Under Inbound security groups rules, remove the SSH traffic rule which is selected by default. You will update these rules in the later section to allow flow of HTTP traffic over port 80 from Device Farm private device to your EC2 instance that goes through the service managed network interface.
g. Expand the Advanced details section and scroll down to User data option. Now, enter the following commands to install a web server:
#!/bin/bash yum -y update yum -y install httpd chkconfig httpd on service httpd start echo "<html><h1>Hello! I am an Ec2 instance speaking from a private subnet of your VPC </h1></html>" > /var/www/html/index.html
h. Launch the instance.
i. Note the private IP address of this instance as you will use it later to access the web application from a private device.
Create a Device Farm project with VPC Settings
Next, you create a new project in Device Farm console and assign VPC Settings using the following steps:
- On the Device Farm console, choose New project.
Note: It is strongly suggested to not use an existing project when using the VPC-ENI feature. Specifically, if you have used the VPCE feature on the same project. Using both the connectivity methods in the same project results in unintended errors.
- Enter a suitable name for your project.
- Under the Virtual Private Cloud (VPC) Settings section, select the VPC in which your internal web applications is hosted.
- Choose the private Subnets that Device Farm will use to create the network interface in your VPC.
Note: It is strongly suggested to have select more than one subnet in this setting to ensure high availability. This also is true for use cases outside of the example in this post.
- Next, select the Security groups for Device Farm to set up your VPC configuration. Make a note of this security group as you will allow-list this in on your EC2 instance security group configuration.
- Choose Create.
Figure 2: Create a project in Device Farm console.
Update Security group of your EC2 instance for ingress from Device Farm ENI.
In order to further improve the security posture and only allow traffic from Device Farm ENI over port 80 to your EC2 instance, allow-list the security group used in Device Farm VPC settings using the following steps:
- Navigate to the security group of the EC2 instance on which web application is hosted.
- Follow the instructions on updating security group rules.
- Allow-list the security group ID that you have noted while configuring the VPC settings of Device Farm. This will allow HTTP traffic from Device Farm to EC2 instance through the service managed network interface.
Starting a remote access session on a private device
Start a remote access session on your private device using the following steps:
- First, navigate to the Device Farm project created in previous section.
- On the Remote access tab, choose Start a new session.
- Choose any private device for your session.
- In Session name, enter a name for the session.
- Choose Confirm and start session.
Access your internal web application from remote access session
You can access the web application in a remote access session on a private device using the following steps:
- Ensure that the Device Farm console shows the device screen and you can interact with device.
- Open the mobile web browser on the device.
- Enter the private IP address of EC2 instance that you noted in Step 2 of the launching an EC2 instance section using the following format:
- Once the page loads, you can see the response from the instance on which our non-public web application is running.
Figure 3: Webpage hosted in your VPC displayed on the private device browser.
In this post, we demonstrated how you can access an internal web applications through the VPC-ENI based connectivity feature in AWS Device Farm. The feature operates at scale, allowing you to securely connect multiple private devices to multiple private endpoints that are inside a VPC or are reachable from that VPC. It supports multiple traffic types and works through a simple project level configuration. You can learn more about this feature in our documentation.