Connectivité Amazon VPC
Le but est de relier un réseau local à un VPC Amazon (Virtual Private Cloud). Pour cela, Amazon propose la création de deux tunnels routés entre le firewall local et le Cloud Amazon et de router ce trafic via BGP.
Configuration Amazon
Suivez les étapes suivantes :
- Créez un VPC Amazon,
- Créez un sous réseau dans ce VPC,
- Configurez le routage dans ce VPC,
- Créez une connexion VPN dynamique vers l'UTM via l’objet Amazon Virtual Private Gateway,
- Créez les ACLs pour autoriser le trafic local vers le serveur Web,
- Routage : activez la propagation des routes à la table de routage du VPC.
Extrait de l'aide de configuration fournie par Amazon lors de la configuration du service :
|
The Customer Gateway inside IP address should be configured on your tunnel interface. |
|
|
Outside IP Addresses: |
|
| - Customer Gateway | : IP publique Firewall/Gateway |
| - Virtual Private Gateway | : IPAmazon-1 |
| Inside IP Addresses | |
| - Customer Gateway | : 169.254.254.66/30 |
| - Virtual Private Gateway | : 169.254.254.65/30 |
| Configure your tunnel to fragment at the optimal size: | |
| - Tunnel interface MTU | : 1436 bytes |
| #4: Border Gateway Protocol (BGP) Configuration: | |
| The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside IP addresses, to exchange routes from the VPC to your home network. Each BGP router has an Autonomous System Number (ASN). Your ASN was provided to AWS when the Customer Gateway was created. | |
| BGP Configuration Options: | |
| - Customer Gateway ASN | : 65000 |
| - Virtual Private Gateway ASN |
: 9059 |
| - Neighbor IP Address |
: 169.254.254.65 |
| - Neighbor Hold Time |
: 30 |
| Configure BGP to announce routes to the Virtual Private Gateway. The gateway will announce prefixes to your customer gateway based upon the prefix you assigned to the VPC at creation time. | |
Configuration des tunnels
Dans le module Configuration > Réseau > Interface virtuelles, l’onglet Interfaces IPsec vous permet de définir les interfaces concernées :
Dans le module Configuration > VPN > VPN IPsec, onglet Site à site (gateway-gateway), vous pouvez définir les tunnels ci-dessous, à l’aide des objets suivants :
| Site_Amazon_vpn_gw1 | IPAmazon-1 | |
| Site_Amazon_vpn_gw2 | IPAmazon-2 | |
| Amazon_vpn_remote1 | 169.254.254.65 | |
| Amazon_vpn_remote2 | 169.254.254.69 |
Configuration BGP
On choisit d'exporter uniquement le réseau 10.0.1.0/24
|
filter filter_net_in { |
|
| if(net = 10.0.1.0/24) then { | |
| accept; | |
| } | |
| else reject; | |
|
} |
|
| protocol bgp router1 { | |
| local as 65000; | |
| neighbor 169.254.254.65 as 9059; | |
| hold time 30; | |
| multihop; | |
| import all; | |
| export filter filter_net_in; | |
| source address 169.254.254.66; | |
| } | |
| protocol bgp router2 { | |
| local as 65000; | |
| neighbor 169.254.254.69 as 9059; | |
| hold time 30; | |
| multihop; | |
| import all; | |
| export filter filter_net_in; | |
| source address 169.254.254.70; | |
| } |