From VPN to Docker: Securely Connecting AWS Private Instances

Dushyant KumarDushyant Kumar
4 min read

Table of contents

Requirements

  1. VPC (Virtual Private Cloud): VPC is a virtual network dedicated to your AWS account. It enables you to launch AWS resources (like EC2 instances) into a virtual network that you define. It provides control over the virtual networking environment, including IP address ranges, subnets, routing tables, and security settings.
    Follow this link below to create VPC:
    VPC Creation

  2. EC2 (Elastic Compute Cloud): EC2 is a web service that provides resizable compute capacity in the cloud. It allows users to rent virtual servers (known as instances) and run applications on them, offering scalability and flexibility based on computing needs.

Steps To Follow

Open VPN Instance (Public Instance)

  1. To set up a VPC, begin by accessing the “AWS Console”, navigate to VPC, and select “Create VPC and more”.
    For mode step-by-step VPC creation, follow the link below:

    VPC_creation_blok_link

  2. Now go to “EC2” instances and launch OpenVPN as mentioned below, and remember to choose a public subnet for OpenVPN.

  1. Click on AMI and search open vpn then select first one, which have two user access. Two users connect at real time.

  1. Provide name of the instance.

  1. Create key pair for your instance.

  1. Select network part, we have created custom VPC with public and private subnet. Select custom VPC with public subnet. Create security group open port 1194, 943, 945, 22 etc.

  1. Allocate storage such as 8 gb GP3 storage.

  1. After OpenVPN launched it’s time to configure the openvpn instanve.
    SSH into the instance.

  1. For username use : openvpnas to get ssh into the instance.

  1. Now it’s time to configure the open vpn initial configuration, follow the below steps.

  1. Now copy and save the openvpn credentials that are present in the above image. Open browser type https://<openvpn_ip>:943/admin to open admin UI

    https://<openvpn_ip>:943 for the client IP

Now after login using admin ui credentials, click on agree. After that you enter into admin panel.

  • Create new user in the openvpn from the admi ui.

  1. From left menu click on user management and create new user.

  1. After created user click on updated running server.

14. Now use CLIENT UI to download .ovpn file.
https://<openvpn_ip>:943 for the client IP

Now we can download open vpn connect depend on your os and then download your profile.

15. After that now we upload the profile in openvpn client.

Private Instance (Ubuntu)

  1. Once you launch open vpn instance. Now again launch a demo private server as mentioned below and remember to choose a private subnet for private-docker-instance.

  1. Choose instance type such as t2.micro.

  1. Create new key pair for the instance.

  1. Select custom vpc , private subnet and create new security group.

  1. Allocate storage to the instance such as 10 gb gp3 storage type.

  1. After Instance launched, Now its time for ssh to private instance.

7. Currently our instance do not perform ssh because there is no connectivity between open vpn instance and docker instance.

NOTE:-
First we go to open vpn security group copy the security group id and then go to docker private instance, click on security group then click on edit part add port 22 and paste the open vpn security group.

Again try to perform docker instance ssh.

In the user name type : ubuntu

  1. Update the instance and install docker.

Conclusion:

In this blog, we walked through the step-by-step process of setting up a secure environment. First, we launched an OpenVPN instance from the AWS Marketplace, configured it, and created a user to connect through the OpenVPN client. Next, we created a private instance and installed Docker on it. Initially, we couldn’t connect to the private instance directly because it was only meant to be accessed through the VPN. To fix this, we attached the OpenVPN security group to the private instance and allowed port 22 access only from the VPN’s security group. After that, we were able to successfully SSH into the private instance through the VPN.

This setup ensures that your private workloads remain secure and are only accessible through the VPN, rather than being exposed directly to the internet.

In upcoming blow we will see how to pull or push from private ECR with out using net gateway(without nat gateway or internet. how to push or pull docker image from ECR).

Follow for many such contents:

LinkedIn: linkedin.com/in/dushyant-kumar-dk

Blog: dashboard-blog-link

0
Subscribe to my newsletter

Read articles from Dushyant Kumar directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DevopsOpenVPNAWScloud securityTrainWithShubham

Written by

Dushyant Kumar
Dushyant Kumar