Use AWS Client VPN to access workloads running on VMware Cloud on AWS

8 minute read
Content level: Intermediate
0

This post is focussed on how to access workloads running on VMware Cloud on AWS directly from an end-user computer, using AWS Client VPN.

Introduction

This post is focussed on how to access workloads running on VMware Cloud on AWS directly from an end-user computer, using AWS Client VPN.

Some customers already use a 3rd party Client VPN service to access VMs running in their on-prem VMware vSphere environment. After migration of those vSphere workloads to VMware Cloud on AWS, they can leverage AWS Client VPN to access those VMs running on VMware Cloud on AWS Software Defined Data Center (SDDC), directly from their computer.

Pre-requisites

  • 1x VMware Cloud on AWS SDDC .
  • AWS Direct Connect or Internet connectivity between on-premises and the VMware Cloud on AWS SDDC.
  • Download AWS Client VPN software from the AWS download page.
  • A text editor.

Lab Overview

Enter image description here

The diagram above, represents the demo lab setup. We already have a VMware Cloud on AWS SDDC running and we will deploy AWS Client VPN on the Attached VPC. we will then download and install the Client VPN software on the end-user machine from where we will connect to the workloads.

Scenario

We have already deployed a VMware Cloud on AWS SDDC with some workloads running on it. Let’s take a look at a Microsoft Windows workload to which we will attempt to connect from our computer.

  1. Open a web browser and navigate to vmc.vmware.com and login with your credentials.
  2. Click on the SDDC name and click on Open vCenter to open the vCenter window.
  3. The workload which we will try to connect to, is winvm001 with an IP address 192.168.150.3

Enter image description here

  1. Let’s try to ping this IP address from our computer.

Enter image description here

  1. As we can see, the windows VM running on VMware Cloud on AWS SDDC is currently not accessible from my computer.
  2. Let’s now try to setup the AWS Client VPN.

Setup

For this example, I’ll walk through the configurations covering the following aspects:

  1. Configure compute gateway firewall rules on VMware Cloud on AWS SDDC to allow traffic from the attached VPC to the workloads running on VMware Cloud on AWS
  2. Generate Server and Client certificates and keys
  3. Upload the Server and Client certificates and keys to AWS Certificate manager
  4. Create an AWS Client VPN endpoint in the VPC attached to the VMware Cloud on AWS SDDC
  5. Associate the newly created VPN endpoint with target network.
  6. Update the route table, authorization rules and security group for the VPN endpoint.
  7. Download the Client configuration file and modify the file to include the client certificate and key.
  8. Use the Client configuration file to Add a profile, connect to the VPN and test connectivity

Step 1: Configure compute Gateway Firewall rules

  1. Open a browser and navigate to vmc.vmware.com and login with your VMware Cloud credentials.
  2. Open NSX manager and under the Security tab, navigate to Gateway Firewall for Compute gateway.
  3. Add an inbound and an outbound firewall rule as shown below.
  4. The workloads requiring access from the Client VPN are added to the Workload VMs group.

Enter image description here

Step 2: Generate the Server and Client certificates and keys.

We will use mutual authentication for the client VPN connection. With mutual authentication, Client VPN uses certificates to perform authentication between clients and the Client VPN endpoint. We will need to have a server certificate and key, and at least one client certificate and key.

  1. Refer to this AWS documentation page to generate the server and client certificates and keys.
  2. Once the certificates and keys are generated on our computer, it will look like the below. There should be certificate and a key each for the server and the client and there will be a certificate for the certificate authority.

Enter image description here

Step 3: Upload the Server and Client certificates and keys to AWS Certificate manager

  1. Open a terminal window and connect to the appropriate AWS region using the aws configure command
  2. Run the following command to upload the server certificate and key to the AWS certificate manager.
aws acm import-certificate —certificate fileb://server.crt —private-key fileb://server.key —certificate-chain fileb://ca.crt
  1. Run the following command to upload the client certificate and key to the AWS certificate manager.
aws acm import-certificate —certificate fileb://client1.domain.tld.crt —private-key fileb://client1.domain.tld.key —certificate-chain fileb://ca.crt

Enter image description here

  1. Open the AWS console, ensure that the correct AWS Region is selected, then navigate to AWS Certificate Manager.
  2. Click on List certificates and it should list all the certificates which are uploaded as below

Enter image description here

Step 4: Deploy an AWS Client VPN endpoint in the attached VPC

  1. Open the AWS Console.
  2. Ensure the correct AWS Region is selected and then navigate to the VPC service.
  3. Select the Client VPN endpoints under Virtual private network (VPN) and Click on Create client VPN endpoint.
  4. Fill in the details as below. The Client IPv4 CIDR should be different from the target network CIDR.
  5. Select the server and client certificates and check the box for “Use mutual authentication”.

Enter image description here

  1. Enable Split-tunnel, Select the correct VPC and security group and Click on Create client VPN endpoint.

Enter image description here

Step 5: Associate the VPN endpoint with target network

  1. Once the Client VPN endpoint is created, click on the Client VPN endpoint ID.
  2. Click on Associate target network and select the appropriate VPC and subnet to associate with the endpoint.

Enter image description here

Enter image description here

  1. The endpoint should show up as associated with target network as below.

Enter image description here

Step 6: Update the route table, authorization rules and security group.

  1. Click on Route table and add routes to the VMware Cloud on AWS subnet and internet (if preferred).

Enter image description here

  1. Click on Authorization rules and add authorization rules to allow the VMware SDDC subnet and internet as the destination CIDR. It should look like the below

Enter image description here

  1. And finally allow outbound internet access at the security group level if desired.

Step 7 : Download the Client configuration file and modify to include the client certificate and key

  1. Login to the AWS Console, navigate to the VPC Service and click on Client VPN endpoints
  2. Select the Client VPN endpoint we created and click on Download client configuration towards the top right.
  3. It will download a file with the extension .ovpn
  4. Modify the file to add a <certificate> section and a <key> section.
  5. Copy the contents of the client1.domain.tld.crt file (created in Step 2) and paste it to the <certificate> section, then copy the contents of the client1.domain.tld.key file (created in Step 2) and paste it to the <key> section.
  6. The file should look like the one available here.

Step 8: Use the Client configuration file to Add a profile, connect to the VPN and test connectivity

  1. Open the AWS Client VPN software and navigate to File → Manage profiles
  2. Click on Add profile.

Enter image description here

  1. Browse and Select the VPN configuration file which we saved on the previous step, Provide a Display name and click on Add profile.

Enter image description here

  1. Click on Done
  2. Click on Connect.

Enter image description here Enter image description here

  1. You should be connected to the VPN now.

Let’s try to ping the Windows VM (winvm001) running on VMware Cloud on AWS now and test the connectivity

Enter image description here

As we can see, we are now able to ping the Windows VM running on VMware Cloud on AWS directly from my computer using AWS Client VPN. Since we have allowed RDP and SSH services over the VPC interface on teh Compute Gateway Firewall rule. we will also be able to connect over RDP to the Windows VMs and establish an SSH session for the Linux VMs running on VMware Cloud on AWS.

Conclusion

In this post, we have walked through the steps to configure AWS Client VPN to access workloads running on VMware Cloud on AWS directly from an end-user computer.

profile pictureAWS
EXPERT
published 4 months ago694 views