×
Community Blog Friday Blog - Week 36 - Connect To Your VPCs Securely, With VPN Gateway

Friday Blog - Week 36 - Connect To Your VPCs Securely, With VPN Gateway

Learn how to set up an Alibaba Cloud VPN Gateway instance, for private & secure access to your VPC groups.

By: Jeremy Pedersen

Welcome back for another Fantastic Friday blog! This week, we set up our own VPN Gateway, giving us simple and secure access to our VPC from anywhere.

What we'll do:

  1. Create a new VPC group
  2. Set up a VPN Gateway
  3. Set up an SSL VPN tool, and use it to connect to the VPC
  4. Create an ECS instance (without a public IP address)
  5. SSH into our ECS instance to prove that it all works

Let's get started!

Step 1: Creating a VPC Group

First, of course, you'll need to log into your Alibaba Cloud account and log into the web console. From there, open the products menu:

01_open_products

Then, search for "VPC":

02_find_vpc

Next, choose a region. I chose a Chinese region since I'm based in China:

03_choose_region

Create a new VPC group with at least one subnet (I created 3 subnets: one for each of the three Zones in the Ulanqab Region):

04_create_vpc

05_create_subnets

If everything worked, you should see something like this:

06_success

Step 2: Creating A VPN Gateway

Setting Up The Gateway

Now, scroll the left-hand menu until you see the "VPN Gateway" option. Click on that, then click on "Create VPN Gateway":

07_create_vpn

This should take you to the purchase page (double check which Region is selected here, sometimes the buy page resets to a default region setting):

08_buy_vpn

Confirm your purchase (this is the part of the tutorial where things start costing money! so be sure to delete any resources you've created, once you are done testing):

09_activate_vpn

Return to the VPN Gateway console, and wait for the VPN to initialize. Once the status is "Normal", the VPN Gateway is ready to use:

10_return_to_console

11_vpn_initialize

Setting Up An SSL VPN Server

We'll test our VPN Gateway by setting up an SSL VPN. Why? Mostly because it's easier than setting up an IPsec VPN, and because I'm testing from a laptop. ^_^

First, create an SSL Server:

12_ssl_server

13_ssl_server

Pay close attention to the network address ranges you use (see screenshot below for details):

14_ssl_server

In general, it's a good idea to choose a "local network" IP address range that doesn't overlap your VPC address range, and choose a "client subnet" address which is in the same CIDR block as your VPC, but does not overlap with your vSwitches.

Setting Up An SSL VPN Client Configuration

Next, we need to set up our SSL "client configuration", which will generate a certificate file and .ovpn VPN client configuration file, which we can download as a zipfile:

15_ssl_server

16_ssl_server

17_ssl_server

18_ssl_server

19_ssl_server

Step 3: Installing a VPN Client

We need local SSL VPN client software, if we want our local device (be it a desktop, laptop, or phone) to be able to connect to the VPN Gateway.

I'm using a mac, so I will demonstrate this using the free and open source Tunnelblick VPN tool.

Clicking the link above should take you to the Tunnelblick homepage, where you can get the most recent version from "Downloads":

20_install_vpn_client

I won't go through all the steps involved in installing Tunnelblick: it's very straightforward.

Once you have a local VPN client installed, the next step is to configure a VPN connection, using the .ovpn file inside the config.zip archive we downloaded from the Alibaba Cloud console earlier.

In Tunnelblick, you do this by dragging the .ovpn file onto Tunnelblick, then following along with the prompts:

21_configure_vpn

22_configure_vpn

23_configure_vpn

We need to make some final touches to the configuration by clicking on "VPN Details", then switching over to "Settings", as shown here:

24_configure_vpn

25_configure_vpn

26_configure_vpn

We need to make sure all traffic will traverse the VPN, so that the SSH and ping tests we run later will work properly.

Step 4: Set Up An ECS Instance

In order to test all of this out, we now need to create an ECS instance inside the VPC to which our VPN Gateway is attached, then try connecting to it.

Setting up an ECS instance is easy, just follow along with the screenshots below:

27_ecs_config

28_ecs_config

Make sure you choose the correct Region and correct VPC:

29_ecs_config

Note that because we are using a "Shared" instance type, we have to confirm that we're aware of the CPU Credit system that is used to control CPU usage on this instance type, as shown here:

30_ecs_config

31_ecs_config

32_ecs_config

33_ecs_config

34_ecs_config

35_ecs_config

That's it! You should now have a running ECS instance inside your VPC Group, like this:

36_ecs_config

Step 5: Testing It All Out

Let's try connecting to the VPN Gateway using Tunnelblick.

Warning: Our VPC group doesn't have any kind of transit routing set up, so connecting will kill your Internet connection. Remember, we told Tunnelblick we want to forward all traffic to the VPN Gateway, even Internet traffic. Since our VPC has no path to the public Internet (like a NAT Gateway), traffic to public sites is going to "dead end" at the VPC.

Maybe that's a topic for another blog post!

In any case, if everything works, you should see something like this:

37_connect

38_connect

Now, we can try to ping our ECS instance, using its private IP address. We can see that it works:

39_test_ping

SSH should also work just fine:

40_test_ssh

Finally, we disconnect from the VPN Gateway and try to ping the instance again:

41_disconnect

42_disconnect

Not surprisingly, it fails! This is what we expect: the ECS instance's private IP is not reachable directly from the public Internet, only via the VPN tunnel we set up with VPN Gateway.

That's it! Now you now how to create and manage your own VPN Gateway into any Alibaba Cloud VPC!

I've Got A Question!

Great! Reach out to me at jierui.pjr@alibabacloud.com and I'll do my best to answer in a future Friday Q&A blog.

You can also follow the Alibaba Cloud Academy LinkedIn Page. We'll re-post these blogs there each Friday.

Not a LinkedIn person? We're also on Twitter and YouTube.

1 0 0
Share on

JDP

72 posts | 134 followers

You may also like

Comments

vunny December 10, 2021 at 5:21 am

Great documentation!!