Zenn
📚

【AWS学習記録2回目】クライアントVPNをつかって、リモート接続環境を構築する

2024/02/24に公開
EC2
VPN
VPC
acm
CloudWatch
tech

概要

リモート環境からソフトウェアVPN接続を使って、VPC内へのリソースへアクセスする方法を学習した

CloudFormation

AWSTemplateFormatVersion: 2010-09-09
Resources: 
  #======================
  # VPC
  #======================
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 198.19.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true

  #======================
  # Subnet
  #======================
  Subnet1:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: ap-northeast-1a
      VpcId: !Ref VPC
      CidrBlock: 198.19.1.0/24

  Subnet255:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: ap-northeast-1a
      VpcId: !Ref VPC
      CidrBlock: 198.19.255.0/24
  
  #======================
  # RouteTable
  #======================
  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC

  #======================
  # SubnetRouteTableAssociation
  #======================
  Subnet1Assoc:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref Subnet1
      RouteTableId: !Ref PrivateRouteTable
  
  Subnet255Assoc:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref Subnet255
      RouteTableId: !Ref PrivateRouteTable
  
  #======================
  # Instance
  #======================
  Instance:
    Type: AWS::EC2::Instance
    Properties:
      AvailabilityZone: ap-northeast-1a
      ImageId: ami-0b5c74e235ed808b9
      InstanceType: t2.micro
      NetworkInterfaces:
        - DeleteOnTermination: true
          DeviceIndex: 0
          GroupSet:
            - !Ref SecurityGroup
          SubnetId: !Ref Subnet1

  #======================
  # SecurityGroup
  #======================
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: SecurityGroup
      GroupDescription: SecurityGroup
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: ICMP
          FromPort: -1
          ToPort: -1
          CidrIp: 198.19.0.0/16
  
  #======================
  # ClientVpnEndpoint
  #======================
  ClientVpnEndpoint:
    Type: AWS::EC2::ClientVpnEndpoint
    Properties:
      AuthenticationOptions: 
        - MutualAuthentication: 
            ClientRootCertificateChainArn: #クライアントの証明書のarn
          Type: certificate-authentication
      ClientCidrBlock: 100.64.0.0/22
      ConnectionLogOptions: 
        CloudwatchLogGroup: !Ref LogGroup
        CloudwatchLogStream: !Ref LogStream
        Enabled: true
      ServerCertificateArn: #サーバーの証明書のarn
      SplitTunnel: true
      TransportProtocol: tcp
      VpcId: !Ref VPC
  
  #======================
  # ClientVpnTargetNetworkAssociation
  #======================
  ClientVpnTargetNetworkAssociation:
    Type: AWS::EC2::ClientVpnTargetNetworkAssociation
    Properties:
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      SubnetId: !Ref Subnet255
  
  #======================
  # ClientVpnAuthorizationRule
  #======================
  ClientVpnAuthorizationRule:
    Type: AWS::EC2::ClientVpnAuthorizationRule
    Properties:
      AuthorizeAllGroups: true
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      TargetNetworkCidr: 0.0.0.0/0

  #======================
  # LogGroup
  #======================  
  LogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/cvpn
  
  #======================
  # LogGroup
  #======================  
  LogStream:
    Type: AWS::Logs::LogStream
    Properties:
      LogGroupName: !Ref LogGroup
      LogStreamName: connection-log

参考文献

Amazon Web Services, Inc. or its affiliates.(2021)
「AWS Hands-on for Beginners Network編#3 クライアントVPNをつかって、リモート接続環境を構築しよう」
(https://pages.awscloud.com/JAPAN-event-OE-Hands-on-for-Beginners-Network-3-2022-reg-event.html?trk=aws_introduction_page)
参照日:2024年2月24日

Amazon Web Services, Inc. or its affiliates.(2024)
「相互認証」
(https://docs.aws.amazon.com/ja_jp/vpn/latest/clientvpn-admin/mutual.html)
参照日:2024年2月24日

Discussion