Configuring Secure Cloud Networks with VPN and NAT on AWS: A Personal Project

-


As a passionate and driven cybersecurity enthusiast, I embarked on a side project to enhance my knowledge of cloud security and networking using AWS. This project involved setting up a secure network across two AWS regions using custom VPNs and NAT on EC2 instances. The hands-on experience not only deepened my understanding of AWS but also set me on a path towards better understanding the principles of cloud security as a whole.


Objectives and Requirements

Objective:

Demonstrate configuring a secure network across two AWS regions using custom VPNs and NAT on EC2 instances.

Requirements:

  1. Select two AWS cloud regions.
  2. Create a VPC in each region with distinct CIDR blocks.
  3. Configure a public and private subnet in each VPC.
  4. Deploy a VPN Gateway VM in the public subnet and a Private VM in the private subnet of each region.
  5. Establish a secure tunnel using VPN software between the VPN Gateway VMs.
  6. Configure the VPN Gateway VM to provide NAT functionality for the Private VM.
  7. Update route tables for appropriate traffic routing.



Step-by-Step Process

1. Select Cloud Regions

I selected two AWS regions: Stockholm (eu-north-1) and Frankfurt (eu-central-1) to ensure geographical diversity and simulate real-world scenarios where regions are often separated by vast distances.

2. Create VPCs

In each region, I created a VPC with non-overlapping CIDR blocks:

  • Stockholm: 10.0.0.0/16
  • Frankfurt: 10.1.0.0/16

3. Set Up Subnets

Each VPC included a public and a private subnet:

  • Stockholm:
    • Public Subnet: 10.0.0.0/24
    • Private Subnet: 10.0.1.0/24

  • Frankfurt:
    • Public Subnet: 10.1.0.0/24
    • Private Subnet: 10.1.1.0/24









4. Deploy EC2 Instances

In each VPC, I deployed two EC2 instances:

  • VPN Gateway VM in the public subnet
  • Private VM in the private subnet

The instances used Ubuntu as the operating system. Security groups and route tables were meticulously configured to ensure proper communication and security.














5. Custom VPN Configuration

I installed VPN software (Wireguard) on the VPN Gateway VMs to create a secure tunnel between the two regions. Configuration files were carefully set up to define the peers and encryption settings, ensuring a secure and stable connection.



6. Custom NAT Configuration

IP forwarding and iptables were configured on the VPN Gateway VM to enable NAT functionality. This setup allowed the Private VM in each VPC to communicate securely with the other region through the VPN tunnel.

7. Testing and Verification

Testing Steps:
  • Used ping and traceroute commands to verify connectivity and proper routing.
  • Verified that traffic from the Private VM in one region could reach the Private VM in the other region through the VPN tunnel.
  • Verified that Private VMs were able to reach the public internet as well, through NAT.







Challenges Faced

VPN Configuration Issues

This was my first time working in an AWS cloud environment, and I encountered several challenges while configuring the VPN. Initially, misconfigurations in Wireguard settings led to connectivity issues. The VPN tunnel was unstable, and traffic was not routing correctly between regions. I overcame these issues by meticulously reviewing and adjusting the Wireguard configuration files, ensuring that the public and private keys were correctly set up, and that the endpoint IPs were accurately defined. Debugging logs and performing iterative testing with ping and traceroute commands helped identify and resolve the issues.

Route Table Conflicts

Another significant challenge was the conflict in route tables. Overlapping routes caused traffic to be misrouted, resulting in communication failures between instances. This required a thorough review and update of the route tables. I had to carefully map out the CIDR blocks and ensure that the routes were properly configured to direct traffic through the VPN tunnel. This process involved detailed attention to the specifics of AWS route table management, ensuring that each route was unique and correctly prioritized.


Security Group Adjustments

Ensuring the correct ports were open and setting proper rules for both inbound and outbound traffic was critical for facilitating VPN and NAT functions. Initially, incorrect security group configurations prevented the VPN tunnel from establishing and maintaining a stable connection. I had to adjust the security groups to allow traffic on specific ports required by Wireguard (UDP 51820), and ensure that ICMP traffic was permitted for troubleshooting purposes. This experience taught me the importance of meticulous security group configuration and the role it plays in maintaining secure and functional network communication.

Additional Challenges and Solutions

  • IP Forwarding and NAT Setup: Setting up IP forwarding and configuring iptables on the VPN Gateway VM for NAT functionality was another complex task. Initially, packets were not being forwarded correctly, causing communication breakdowns between private subnets. By enabling IP forwarding and configuring iptables rules to masquerade outbound traffic, I ensured that the Private VM could communicate with external networks through the VPN.

  • Instance Configuration and Management: Managing and configuring the EC2 instances required a detailed understanding of AWS services. Ensuring that each instance was correctly configured with the appropriate AMI, instance type, and security settings was crucial. I also had to manage SSH access, ensuring secure and reliable remote administration of the instances.

Key Learnings

  1. In-depth Understanding of AWS Networking: This project provided a comprehensive understanding of AWS Virtual Private Cloud (VPC), subnets, and route tables. I learned how to design and implement a multi-region network architecture, which is fundamental to cloud networking.
  2. VPN Configuration Mastery: Configuring and troubleshooting VPNs using Wireguard was a significant learning experience. I gained hands-on skills in setting up secure communication channels and ensuring data integrity and confidentiality between cloud regions.
  3. NAT and IP Tables Proficiency: Setting up NAT and managing iptables for traffic routing provided practical skills that are invaluable in real-world scenarios. This involved configuring IP forwarding, setting up NAT rules, and ensuring seamless packet transmission between private subnets and external networks.
  4. Problem-Solving: The project honed my problem-solving skills, essential for any cybersecurity professional. Each challenge required a methodical approach to diagnose and resolve issues, enhancing my ability to troubleshoot and resolve network configuration problems effectively.

Conclusion

This self-initiated project has not only enriched my understanding of cloud security and networking but also demonstrated my commitment to continuous learning and professional development. The hands-on experience, gained from my first foray into an AWS cloud environment, will undoubtedly be beneficial as I pursue AWS certifications and advance my career in cybersecurity. By tackling and overcoming a variety of technical challenges, I have developed a robust skill set that will set me up for success in future cloud and security projects.






















Comments

Post a Comment

Popular posts from this blog

How Misconfigurations Outweigh CVEs in Cybersecurity Risks

-
  Source:  New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs (thehackernews.com) Research conducted by XM Cyber has uncovered that a whopping 80% of security exposures are due to misconfigurations, while a comparatively minuscule 1% are from Common Vulnerabilities and Exposures (CVEs). Their research, which has studied over 40 million exposures, underlines that more efforts should  be directed  toward properly configuring systems to reduce cyber risk.  Focusing solely on  CVEs  results is a flawed security posture, as misconfigured systems can pose a more substantial risk to critical assets than previously understood. They can create more challenging vulnerabilities, especially since they do not appear on typical vulnerability scans that target software versions rather than configurations. Furthermore, with traditional security measures typically  being  CVE-focused, the odds of misconfigurations slipping ...
Read more

30+ Tesla Cars Compromised Due to TeslaLogger Vulnerability

-
Source:  30+ Tesla Cars Hacked Globally Using Third-Party Software (cybersecuritynews.com) Following up on our most recent blog post regarding the threat posed by misconfigurations, a recent incident impacting Tesla places those findings under a brighter spotlight. Due to vulnerabilities caused by misconfigurations in TeslaLogger, a third-party software used for data logging, security researcher Harish SG uncovered that  its insecure default settings could be exploited  to gain unauthorized access. After Harish discovered the issue, it  was reported  to the platform's maintainer, who  is expected  to have taken actions to mitigate or resolve that risk.  It is essential to clarify that the vulnerability and potential remote access associated with it did not reside in Tesla's vehicles or in Tesla's infrastructure but rather stemmed from misconfigurations surrounding the use of default credentials and improper storage of API keys by TeslaLogger. Desp...
Read more