We will provide the instructions to configure Windows 10 and macOS to connect to the VPN:
On Windows 10, follow these steps:
- From the Windows 10 Start Menu, type the word VPN then click on Change virtual private networks (VPN):
- On the next menu, click on Add a VPN connection.
- This will open a new window to configure your connection. Select Windows (built-in) as your VPN provider, give your VPN a connection name such as EffectiveDevOps, provide the IP address of your VPN as your server name (you can get it from the awsdescribe-stacks command as shown in the previous section), select the L2TP/IPSec with pre-sharedkey VPN configuration, and give the instance-id value as a preshared secret, Finally, click Save:
- Once you are back on the previous menu, click on Connect. The first time you connect to your VPN, you will need to provide a username and password. The username is vpn and the password, the instance ID. Once you have provided that information, you will be able to SSH instances on the private subnet:
On macOS, take the following steps:
- Open the system preferences of your Mac and select Network.
- Click on the plus icon to create a new entry; a new menu should pop up.
- Select the VPN interface, L2TP over IPSec VPN Type and provide a name for your VPN connection entry:
- By looking at the output of the aws describe-stacks command as shown in the previous section, you will be able to find the server address and account name. Provide that information then click on Authentication Settings:
- In this next menu, provide the password and shared secret (also provided in the aws describe-stacks command output) and click on OK:
- Finally, click on Advanced at the bottom of the Network menu and select Send all traffic over VPN connection:
- Once done, click on connect. You will be able to SSH the hosts in the private subnets.
Isolating staging from production
We saw in a previous tip, in the IAM users section, that we can break-out the environment using different AWS accounts, which can solve the most advanced user permission issues someone may encounter. If you don't need this kind of granularity in your user permissions management but still wish to prevent services in your staging environment from accidentally hitting resources in your production environment, you can rely on VPCs to solve that problem. Now that we can easily create VPCs, we can isolate the different environments present in our account. For instance, we can create the VPC 10.10.0.0/16 we just created for staging and add a new VPC on 10.20.0.0/16 for production. Thanks to the nature of VPC, these environments will not be able to reach one another directly.
We saw in a previous tip, in the IAM users section, that we can break-out the environment using different AWS accounts, which can solve the most advanced user permission issues someone may encounter. If you don't need this kind of granularity in your user permissions management but still wish to prevent services in your staging environment from accidentally hitting resources in your production environment, you can rely on VPCs to solve that problem. Now that we can easily create VPCs, we can isolate the different environments present in our account. For instance, we can create the VPC 10.10.0.0/16 we just created for staging and add a new VPC on 10.20.0.0/16 for production. Thanks to the nature of VPC, these environments will not be able to reach one another directly.
In the last section of the chapter, we will talk about some services and strategies to avoid being hit with a successful targeted attack.