Use AWS Client VPN to access workloads running on VMware Cloud on AWS
This post is focussed on how to access workloads running on VMware Cloud on AWS directly from an end-user computer, using AWS Client VPN.
Introduction
This post is focussed on how to access workloads running on VMware Cloud on AWS directly from an end-user computer, using AWS Client VPN.
Some customers already use a 3rd party Client VPN service to access VMs running in their on-prem VMware vSphere environment. After migration of those vSphere workloads to VMware Cloud on AWS, they can leverage AWS Client VPN to access those VMs running on VMware Cloud on AWS Software Defined Data Center (SDDC), directly from their computer.
Pre-requisites
- 1x VMware Cloud on AWS SDDC .
- AWS Direct Connect or Internet connectivity between on-premises and the VMware Cloud on AWS SDDC.
- Download AWS Client VPN software from the AWS download page.
- A text editor.
Lab Overview
The diagram above, represents the demo lab setup. We already have a VMware Cloud on AWS SDDC running and we will deploy AWS Client VPN on the Attached VPC. we will then download and install the Client VPN software on the end-user machine from where we will connect to the workloads.
Scenario
We have already deployed a VMware Cloud on AWS SDDC with some workloads running on it. Let’s take a look at a Microsoft Windows workload to which we will attempt to connect from our computer.
- Open a web browser and navigate to vmc.vmware.com and login with your credentials.
- Click on the SDDC name and click on Open vCenter to open the vCenter window.
- The workload which we will try to connect to, is winvm001 with an IP address
192.168.150.3
- Let’s try to ping this IP address from our computer.
- As we can see, the windows VM running on VMware Cloud on AWS SDDC is currently not accessible from my computer.
- Let’s now try to setup the AWS Client VPN.
Setup
For this example, I’ll walk through the configurations covering the following aspects:
- Configure compute gateway firewall rules on VMware Cloud on AWS SDDC to allow traffic from the attached VPC to the workloads running on VMware Cloud on AWS
- Generate Server and Client certificates and keys
- Upload the Server and Client certificates and keys to AWS Certificate manager
- Create an AWS Client VPN endpoint in the VPC attached to the VMware Cloud on AWS SDDC
- Associate the newly created VPN endpoint with target network.
- Update the route table, authorization rules and security group for the VPN endpoint.
- Download the Client configuration file and modify the file to include the client certificate and key.
- Use the Client configuration file to Add a profile, connect to the VPN and test connectivity
Step 1: Configure compute Gateway Firewall rules
- Open a browser and navigate to vmc.vmware.com and login with your VMware Cloud credentials.
- Open NSX manager and under the Security tab, navigate to Gateway Firewall for Compute gateway.
- Add an inbound and an outbound firewall rule as shown below.
- The workloads requiring access from the Client VPN are added to the Workload VMs group.
Step 2: Generate the Server and Client certificates and keys.
We will use mutual authentication for the client VPN connection. With mutual authentication, Client VPN uses certificates to perform authentication between clients and the Client VPN endpoint. We will need to have a server certificate and key, and at least one client certificate and key.
- Refer to this AWS documentation page to generate the server and client certificates and keys.
- Once the certificates and keys are generated on our computer, it will look like the below. There should be certificate and a key each for the server and the client and there will be a certificate for the certificate authority.
Step 3: Upload the Server and Client certificates and keys to AWS Certificate manager
- Open a terminal window and connect to the appropriate AWS region using the
aws configure
command - Run the following command to upload the server certificate and key to the AWS certificate manager.
aws acm import-certificate —certificate fileb://server.crt —private-key fileb://server.key —certificate-chain fileb://ca.crt
- Run the following command to upload the client certificate and key to the AWS certificate manager.
aws acm import-certificate —certificate fileb://client1.domain.tld.crt —private-key fileb://client1.domain.tld.key —certificate-chain fileb://ca.crt
- Open the AWS console, ensure that the correct AWS Region is selected, then navigate to AWS Certificate Manager.
- Click on List certificates and it should list all the certificates which are uploaded as below
Step 4: Deploy an AWS Client VPN endpoint in the attached VPC
- Open the AWS Console.
- Ensure the correct AWS Region is selected and then navigate to the VPC service.
- Select the Client VPN endpoints under Virtual private network (VPN) and Click on Create client VPN endpoint.
- Fill in the details as below. The Client IPv4 CIDR should be different from the target network CIDR.
- Select the server and client certificates and check the box for “Use mutual authentication”.
- Enable Split-tunnel, Select the correct VPC and security group and Click on Create client VPN endpoint.
Step 5: Associate the VPN endpoint with target network
- Once the Client VPN endpoint is created, click on the Client VPN endpoint ID.
- Click on Associate target network and select the appropriate VPC and subnet to associate with the endpoint.
- The endpoint should show up as associated with target network as below.
Step 6: Update the route table, authorization rules and security group.
- Click on Route table and add routes to the VMware Cloud on AWS subnet and internet (if preferred).
- Click on Authorization rules and add authorization rules to allow the VMware SDDC subnet and internet as the destination CIDR. It should look like the below
- And finally allow outbound internet access at the security group level if desired.
Step 7 : Download the Client configuration file and modify to include the client certificate and key
- Login to the AWS Console, navigate to the VPC Service and click on Client VPN endpoints
- Select the Client VPN endpoint we created and click on Download client configuration towards the top right.
- It will download a file with the extension
.ovpn
- Modify the file to add a <certificate> section and a <key> section.
- Copy the contents of the
client1.domain.tld.crt
file (created in Step 2) and paste it to the <certificate> section, then copy the contents of theclient1.domain.tld.key
file (created in Step 2) and paste it to the <key> section. - The file should look like the one available here.
Step 8: Use the Client configuration file to Add a profile, connect to the VPN and test connectivity
- Open the AWS Client VPN software and navigate to File → Manage profiles
- Click on Add profile.
- Browse and Select the VPN configuration file which we saved on the previous step, Provide a Display name and click on Add profile.
- Click on Done
- Click on Connect.
- You should be connected to the VPN now.
Let’s try to ping the Windows VM (winvm001) running on VMware Cloud on AWS now and test the connectivity
As we can see, we are now able to ping the Windows VM running on VMware Cloud on AWS directly from my computer using AWS Client VPN. Since we have allowed RDP and SSH services over the VPC interface on teh Compute Gateway Firewall rule. we will also be able to connect over RDP to the Windows VMs and establish an SSH session for the Linux VMs running on VMware Cloud on AWS.
Conclusion
In this post, we have walked through the steps to configure AWS Client VPN to access workloads running on VMware Cloud on AWS directly from an end-user computer.
Relevant content
- asked 3 months agolg...
- Accepted Answer
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago