with Amazon WorkLink

You can create an EC2 instance in your VPC and use the curl function to validate connectivity for your WorkLink-associated domains using the Amazon Web Services console. Amazon Linux AMI instance types offer a free tier, which allows you to use curl commands from an EC2 instance without incurring additional charges.

Tasks:

  1. Confirm your WorkLink Network Configuration
  2. Launch an EC2 Instance in your VPC
  3. Configure EC2 Instance Details
  4. Curl the website from your VPC, using your SSH client

1. Log into the AWS Console, and search for WorkLink in the Find Services search bar.

image001

(click to expand)

image001

2. Select your WorkLink fleet.

image003

(click to expand)

image003

3. Select your Company network.

image005

(click to expand)

image005

4. On the Company network page, choose View details, and copy the VPC and Subnet IDs. You'll need these in a future step.

image007

(click to expand)

image007

1. Using the same AWS account, go to the AWS console, search for VPC, and choose VPC. (bold UI elements)

image009

(click to expand)

image009

2. Click on Launch EC2 Instances

image011

(click to expand)

image011

3. Search for “Amazon Linux 2 AMI (HVM), SSD Volume Type.”

a. The Amazon Linux 2 AMI instance type is available with a free tier. Choose Select.

image013

(click to expand)

image013

4. Make sure the default instance size (t2.micro) is selected (this size is free tier eligible) and choose Next: Configure Instance Details.

image015

(click to expand)

image015

Next, ensure the instance details for your configuration are correct. You will need the VPC and Subnet values you confirmed in Step 1.


1. To ensure that the instance details are correct:

a. In the drop-down menu for Network, select the IDs that you copied in Step 1.

b. In the drop-down menu for Subnet, select the IDs that you copied in Step 1.

c. Ensure that “Auto Assign Public IP” is set to “Use subnet setting (enable).”

After confirming the values correctly match your Amazon WorkLink configuration, select Review and Launch.

image017

(click to expand)

image017

2. On the next screen, choose Launch.

image019

(click to expand)

image019

If you need to create a new key pair, you can by following these steps;

a. Choose Create a new key pair from the drop-down menu.
b. Provide a name for the key pair in the text bar beneath Key pair name.
c. Choose Download Key Pair.
 

image023

(click to expand)

image023
image025

(click to expand)

image025

4. Now that you have selected or created a key pair, you are ready to launch your EC2 instance.

Note: If you are trying to SSH in the newly created host in a private subnet from a different network, than you will need to follow the VPCs documentation on securely connecting to EC2 instances in private subnet.

Choose Launch Instance button in the pop up.

image027

(click to expand)

image027

5. Review launch status of your new instance. Select View Instance to ensure that your new EC2 instance has changed state from pending to running.

image029

(click to expand)

image029

6. From the VPC home page, confirm that your new instance says running in the Instance State column.

image031

(click to expand)

image031

7. Now that you can see your EC2 instance is running, choose Connect.

image033

(click to expand)

image033

5. Review the pop up with instructions to SSH into your EC2 instance. Copy the command labeled Example. You will run the example command to SSH into your EC2 instance in the next step.

image035

(click to expand)

image035

Now that your instance is running, you can open a SSH client and test the connectivity between your VPC and domain server by running the curl command.

1. Open your SSH client.


2. To SSH into your EC2 instance, run the example command from the pop-up message displayed in Step 3, #5 from your SSH client.

image036

(click to expand)

image036

3. Run the curl command in your EC2 instance. The command should be structured like the following:

/ # curl ${ASSOCIATED_DOMAIN}

Where ${ASSOCIATED_DOMAIN} = the fully qualified domain name of the website (i.e. https://.com). Be sure to include “https://”.


4. Review the results:

  • Verify that the above curl command responds back with the HTML content for the associated domain, then your VPC is connected to the domain.
  • If you do not see the HTML response, observe that the request times out or provides notification that the path cannot resolve. In either case, this means your VPC cannot reach the domain. You will need to route connectivity from the website to your VPC to connect this website to Amazon WorkLink.

There are many issues that could prevent the VPC from connecting to the Amazon WorkLink-associated domain. Customers can review their domain and VPC configurations, and test the results using the curl command configured above. Below are some of the most common paths to investigate.

1. VPC Cannot Resolve DNS

You may see a response from the curl command that the VPC cannot resolve DNS. You can confirm this by running the following command:
/ # dig ${WHITELIST_SITE}

If you do not see the ANSWER SECTION in the response to this command, then the Name Server responsible to resolve ${WHITELIST_SITE} does not have an A record for ${WHITELIST_SITE}. This might be because you have a Private Hosted Zone attached to the VPC or are not using the default DHCP Options Set on the VPC (the Amazon provided DNS servers).

2. Associated Domain Entered Incorrectly

The Associated Domain name was entered incorrectly. Confirm your domain includes fully qualified path (including https://) and is correctly entered.

3. VPC does not have a route to domain servers outside of AWS

The VPC in AWS does not have a route to the domain servers outside AWS. To establish connectivity, you must configure a Direct Connect () or IPsec tunnel from the VPC to the domain servers. After configuring the path between the VPC and the domain servers, you can run the curl command again to validate connectivity.

4. VPC does not have a route to domain servers running inside of AWS

The VPC in AWS does not have access to the resources running in another VPC in AWS. To grant connectivity from the VPC used for Amazon WorkLink, consider configuring a connection between these resources using Amazon Virtual Private Cloud VPC peering, AWS PrivateLink, or AWS Transit Gateway.After configuring the path between the VPC and the domain servers, you can run the curl command again to validate connectivity.