在 terraform IPSec 隧道中使用的 AWS IP 地址(通过 Transit Gateway)
AWS IP address to use in terraform IPSec tunnels (via Transit Gateway)
我正在尝试构建 AWS terraform IPSec VPN 配置。但是,我不记得在哪里可以找到 AWS IPSec IP 地址; terraform cgw documentation 表示 ip_address 字段是必需的。
答案应该假定 VPN 将附加到我的 AWS Transit Gateway。
我的地形:
resource "aws_customer_gateway" "cgw-abbv-for-local-and-remote" {
bgp_asn = 65001
ip_address = "A.B.C.D" #<-- I need this IP before terraform apply
type = "ipsec.1"
tags = {
Name = "insert-cgw-name-here"
}
}
resource "aws_vpn_connection" "vpn-abbv-for-local-and-remote" {
customer_gateway_id = aws_customer_gateway.cgw-abbv-for-local-and-remote.id
transit_gateway_id = aws_ec2_transit_gateway.my-tgw-name.id
type = aws_customer_gateway.cgw-abbv-for-local-and-remote.type
tags = {
Name = "insert-vpn-name-here"
}
}
terraform 的文档中不是很清楚,但是我在网上找到了一个例子,说明了这个问题。
简而言之,aws_customer_gateway 配置在 IPSec 隧道的 AWS 端 而不是 ...这些资源相对于 AWS 是“远程”的:
所以在这种情况下,ip_address 将是 AWS IPSec 数据包的目标 IP 地址 离开 AWS Transit Gateway; aws_customer_gateway ip_address 不属于 AWS。
客户网关的 ip_address 是位于客户数据中心内部的物理 appliance/router 的 IP。您需要此 ip_address 来建立 VPN 连接。当您在 terraform 中迷路时,AWS docs 也会提供帮助。
看来 OP 已经找到了答案,但让我补充两分钱,因为两年前我花了很多时间来解决 AWS VPN 问题,以便通过 AWS Advanced Networking 证书。这可能对 VPN 新手很有用 - 特别是在 AWS 生态系统中:
有一本很棒的书叫做 AWS Certified Advanced Networking Official Study Guide,我推荐所有担任云网络工程师角色的人阅读。 [1]
指出以下几点:
-
After you create a VPN connection, the VPN tunnel activates when traffic is generated
from your side of the VPN connection. The VGW is not the initiator; your customer gateway must initiate the tunnels. If your VPN connection experiences a period of idle time (usually
10 seconds, depending on your configuration), the tunnel may go down. This is because
AWS uses an on-demand DPD mechanism. If AWS receives no traffic from a VPN peer for
10 seconds, AWS sends a DPD “R-U-THERE” message. If the VPN peer does not respond
to three successive DPDs, the VPN peer is considered dead and AWS closes the tunnel. [pp. 100, 101]
-
At the non-AWS end of a VPN connection, the VPN is terminated on a customer gateway.
A customer gateway is the AWS term for the VPN termination device at the customer’s onpremises end. A customer gateway can also be hosted in AWS as an EC2 instance running
VPN software that meets the requirements given in the next section.
Most customers don’t require the purchase of an additional device and can reuse an
existing on-premises VPN termination device to create a tunnel to a VPC. [p. 110]
-
You can use any third-party VPN device that supports Layer 3 VPN technologies. AWS
does not support Layer 2 VPN technologies.
IPsec is used for the VGW at the AWS end of VPN termination, and so the IPsec protocol must be supported by your VPN device. You will set up two VPN tunnels per VGW.
Support for BGP routing protocol is optional but recommended for advanced routing capabilities. Other routing protocols like Open Shortest Path First (OSPF) are not supported by
AWS. You must ensure that you have opened the right ports in your on-premises firewall
for the IPsec traffic to flow. [p. 111]
That is in particular: both ends of the VPN connection must possess a public IP address!
如果您还没有,我真的建议您跳过这些页面,以了解最佳实践和 AWS 在(混合)云架构方面的思维方式。如果事情没有按照您想要的方式进行,您可以避免事后感到困惑。 IPSec(即第 3 层)VPN 比大多数人想象的要难。人们应该了解所有与路由和安全相关的内容,例如:IKE、SAs、基于策略的路由、NAT-Traversal、ISAKMP 等。 97:VPN 功能 -> 安全和路由部分]。
另一个很好的参考是 AWS Site-to-Site VPN 指南 (PDF)。 [2]
同样值得一提的是:许多 terraform 属性也可以在 AWS CloudFormation 文档中找到。 AWS::EC2::CustomerGateway 资源的 IpAddress 属性状态 [3]:
的文档
The Internet-routable IP address for the customer gateway's outside interface. The address must be static.
[1] https://www.programmer-books.com/wp-content/uploads/2019/04/AWS-Certified-Advanced-Networking-Official-Study-Guide.pdf
[2] https://docs.aws.amazon.com/vpn/latest/s2svpn/s2s-vpn-user-guide.pdf
[3] https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html#cfn-ec2-customergateway-ipaddress
我正在尝试构建 AWS terraform IPSec VPN 配置。但是,我不记得在哪里可以找到 AWS IPSec IP 地址; terraform cgw documentation 表示 ip_address 字段是必需的。
答案应该假定 VPN 将附加到我的 AWS Transit Gateway。
我的地形:
resource "aws_customer_gateway" "cgw-abbv-for-local-and-remote" {
bgp_asn = 65001
ip_address = "A.B.C.D" #<-- I need this IP before terraform apply
type = "ipsec.1"
tags = {
Name = "insert-cgw-name-here"
}
}
resource "aws_vpn_connection" "vpn-abbv-for-local-and-remote" {
customer_gateway_id = aws_customer_gateway.cgw-abbv-for-local-and-remote.id
transit_gateway_id = aws_ec2_transit_gateway.my-tgw-name.id
type = aws_customer_gateway.cgw-abbv-for-local-and-remote.type
tags = {
Name = "insert-vpn-name-here"
}
}
terraform 的文档中不是很清楚,但是我在网上找到了一个例子,说明了这个问题。
简而言之,aws_customer_gateway 配置在 IPSec 隧道的 AWS 端 而不是 ...这些资源相对于 AWS 是“远程”的:
所以在这种情况下,ip_address 将是 AWS IPSec 数据包的目标 IP 地址 离开 AWS Transit Gateway; aws_customer_gateway ip_address 不属于 AWS。
客户网关的 ip_address 是位于客户数据中心内部的物理 appliance/router 的 IP。您需要此 ip_address 来建立 VPN 连接。当您在 terraform 中迷路时,AWS docs 也会提供帮助。
看来 OP 已经找到了答案,但让我补充两分钱,因为两年前我花了很多时间来解决 AWS VPN 问题,以便通过 AWS Advanced Networking 证书。这可能对 VPN 新手很有用 - 特别是在 AWS 生态系统中:
有一本很棒的书叫做 AWS Certified Advanced Networking Official Study Guide,我推荐所有担任云网络工程师角色的人阅读。 [1]
指出以下几点:
-
After you create a VPN connection, the VPN tunnel activates when traffic is generated from your side of the VPN connection. The VGW is not the initiator; your customer gateway must initiate the tunnels. If your VPN connection experiences a period of idle time (usually 10 seconds, depending on your configuration), the tunnel may go down. This is because AWS uses an on-demand DPD mechanism. If AWS receives no traffic from a VPN peer for 10 seconds, AWS sends a DPD “R-U-THERE” message. If the VPN peer does not respond to three successive DPDs, the VPN peer is considered dead and AWS closes the tunnel. [pp. 100, 101]
-
At the non-AWS end of a VPN connection, the VPN is terminated on a customer gateway. A customer gateway is the AWS term for the VPN termination device at the customer’s onpremises end. A customer gateway can also be hosted in AWS as an EC2 instance running VPN software that meets the requirements given in the next section. Most customers don’t require the purchase of an additional device and can reuse an existing on-premises VPN termination device to create a tunnel to a VPC. [p. 110]
-
You can use any third-party VPN device that supports Layer 3 VPN technologies. AWS does not support Layer 2 VPN technologies. IPsec is used for the VGW at the AWS end of VPN termination, and so the IPsec protocol must be supported by your VPN device. You will set up two VPN tunnels per VGW. Support for BGP routing protocol is optional but recommended for advanced routing capabilities. Other routing protocols like Open Shortest Path First (OSPF) are not supported by AWS. You must ensure that you have opened the right ports in your on-premises firewall for the IPsec traffic to flow. [p. 111]
That is in particular: both ends of the VPN connection must possess a public IP address!
如果您还没有,我真的建议您跳过这些页面,以了解最佳实践和 AWS 在(混合)云架构方面的思维方式。如果事情没有按照您想要的方式进行,您可以避免事后感到困惑。 IPSec(即第 3 层)VPN 比大多数人想象的要难。人们应该了解所有与路由和安全相关的内容,例如:IKE、SAs、基于策略的路由、NAT-Traversal、ISAKMP 等。 97:VPN 功能 -> 安全和路由部分]。
另一个很好的参考是 AWS Site-to-Site VPN 指南 (PDF)。 [2]
同样值得一提的是:许多 terraform 属性也可以在 AWS CloudFormation 文档中找到。 AWS::EC2::CustomerGateway 资源的 IpAddress 属性状态 [3]:
的文档The Internet-routable IP address for the customer gateway's outside interface. The address must be static.
[1] https://www.programmer-books.com/wp-content/uploads/2019/04/AWS-Certified-Advanced-Networking-Official-Study-Guide.pdf
[2] https://docs.aws.amazon.com/vpn/latest/s2svpn/s2s-vpn-user-guide.pdf
[3] https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html#cfn-ec2-customergateway-ipaddress