Remote Access with Centralized Hostname Management: Alibaba Cloud PrivateZone, SAG App, and VPN Gate
Created#More Posted time:Jul 11, 2021 22:22 PM
The most common practice to ensure the security and supportability of the systems deployed on a public cloud is to:
PrivateZone (part of Alibaba Cloud's DNS product) provides a highly available and scalable DNS service to help manage your internal hostnames within your VPCs easily. This way, you can use custom hostnames for your internal Alibaba Cloud resources, rather than IP address or Alibaba Cloud provided names.
In this article, we'll show you how to access Alibaba Cloud DNS PrivateZone when you are connecting your VPC through SSL-VPN or SAG App. This way, you can use private hostnames to access your cloud resources, such as Elastic Compute Service (ECS) instances (instead of IP addresses), and make your admin and maintenance work on the cloud much easier and more efficient.
In this article, we'll explain the detailed steps of how to access PrivateZone in the SSL-VPN solution and then follow up with the SAG App solution. It is important to note that these solutions have no dependency on each other. The PrivateZone and VPC setups of these solutions are the same.
All the Alibaba Cloud products and services we set up in the sections below are from the same region (Singapore), which is the closest to an on-premises location. Setup between multiple regions and locations is possible, but it will not be covered in this article.
Also, IPsec-VPN connection and Customer Gateway-related configuration will not be discussed in this article.
The list of assets and items we are creating on Alibaba Cloud for this demo are listed below:
The IP Addresses used in the demo network are listed below:
The list of hostnames used in the demo is listed below:
Alibaba Cloud DNS server
The default IP addresses of the Alibaba Cloud DNS servers are:
VPC and ECS
In this section, we will build up a simple VPC environment for testing purposes. In this demo, we will set up one VPC, two vSwitches, and two ECS instances. The OS of the ECS instances is Ubuntu 20.04. The details of managing a VPC can be found here.
The IP Address of the VPC resources and ECS instances can be found in the Section labeled Asset List > Network.
Note: Make sure the security group of the ECS instances allows inbound traffic for the ports below:
Go to the Alibaba Cloud DNS console and create PrivateZone hostnames according to the Section labeled Asset List > Hostname. Then, bind the VPC created in the demo to the PrivateZone. The details of PrivateZone hostnames creation and VPC binding can be found here.
Testing and Verification
1. Log in to the "alitest1" ECS instance (through Alibaba Cloud VNC console), and you should be able to ping the "alitest2" setup within the same VPC using the IP address below:
2. Try to ping the "alitest2" instance from the "alitest1" ECS instance using the hostname instead of using IP address:
3. On your local PC (which will be used later for remote access), you can't ping "alitest2" since it is set up in a private VPC with no external IP address. We will address this in the following section.
After we set up our VPC environment and PrivateZone successfully, we can continue with the VPN solution.
1. Go to VPC > VPN > VPN Gateways on the VPN Gateway console page and click Create VPN Gateway
2. On the VPN Gateway creation page, fill in the VPN Gateway parameters, and click Buy Now to complete the process. The details of creating a VPN Gateway can be found here. Note: The Region of the VPN Gateway should be the same as the VPC used in this demo. Then, enable the IPsec-VPN and SSL-VPN.
3. Go to VPC > VPN > SSL Servers on the SSL Servers console and click Create SSL Server to create an SSL server for the VPN Gateway created. The details of creating and configuring SSL-VPN can be found here.
4. Go to VPC > VPN > SSL Client on the SSL Clients console and click Create Client Certificate to create and download the client certificate and VPN configuration file for the VPN client to initiate the connection. The details of creating an SSL client certificate can be found here.
1. Go to the OpenVPN downloads page to download the OpenVPN client and install it on the PC for remote connection
2. Start the OpenVPN GUI program on your PC and import the VPN client certificate and VPN configuration file you downloaded in the section above
3. On the OpenVPN GUI program, choose the configuration profile you just imported and click Connect.
Make sure you don't have other VPNs connected to your PC at the same time.
After successfully connecting to the VPN Gateway, ECS instances can be accessed directly from the PC using the internal IP Address
Route to PrivateZone
Even though the PC can connect to the VPC internal network now, the hostname in the PrivateZone still cannot be resolved since there is no route to the Alibaba Cloud DNS servers (please see the Section labeled Asset List > Alibaba Cloud DNS server.)
1. On the OpenVPN GUI program, choose the correct configuration profile, and click Edit Config. The configuration file of the VPN connection profile will open.
2. Edit the configuration file by adding the two lines below:
route 100.100.2.136 255.255.255.255
route 100.100.2.138 255.255.255.255
3. Reconnect the VPN connection and set the Alibaba Cloud DNS servers (100.100.2.136 and 100.100.2.138) to the PC's VPN network DNS (TAP-Windows Adapter for Windows OS, resolv.conf file for Linux OS)
4. The PrivateZone hostnames will be resolvable from your PC.
SAG App Solution
Alibaba Cloud Smart Access Gateway (SAG) goes through Cloud Connect Network (CCN) and the Alibaba Cloud SD-WAN access network to connect to Alibaba Cloud VPC internal networks.
Cloud Enterprise Network (CEN)
CEN is a global virtual enterprise network. CEN uses Alibaba Cloud's global backbone network to provide high-quality global networking services for enterprise customers.
SAG App and Cloud Connect Network (CCN)
SAG App Client
Route to PrivateZone
Even though the PC can connect to the VPC internal network now, the hostname in the PrivateZone still cannot be resolved since there is no route to the Alibaba Cloud DNS servers (100.100.2.136 and 100.100.2.138).
1. Go to Smart Access Gateway > Smart Access Gateway APP > SAG APP Instances and click the Network Configuration link of the SAG App created in this demo
2. On the Network Configuration popup, type in the Alibaba Cloud DNS servers IP Addresses: 100.100.2.136 and 100.100.2.138
3. Go to Cloud Enterprise Network > Instances on the CEN console and click the Manage link of the CEN created in the demo
4. On the Basic Settings page, go to the PrivateZone tab and click the Configure PrivateZone button
5. On the Configure PrivateZone popup, type in the parameters for the configuration:
7. Restart the Alibaba Cloud network client and reconnect to Alibaba Cloud VPC. Click the Settings button, and you will see the updated DNS settings under the Connection tab.
8. The PrivateZone hostnames will be resolvable from your PC.