sehee

Route53 Hybrid DNS

1. VPC 생성

- cloud: 10.0.0.0/16

- onprem: 192.168.0.0/16

- subnets, route tables, nat gateways 생성

2. 인스턴스 생성

cloud-app-server

- sg: ssh anywhere, icmp 192.168.0.0/16

onprem-app-server

- sg: ssh 192.168.0.0/16, icmp 10.0.0.0/16

onprem-vpn-server

- sg: ssh anywhere, dns (udp) 192.168.0.0/16, icmp 192.168.0.0/16

3. VPN 설정

1) Virtual private gateway (cloud-vgw)

2) Customer gateways (onprem-cgw) - onprem-vpn-server의 public IP address (Specify the IP address for your customer gateway device's external interface.)

3) VGW - attach to VPC: cloud-vpc

4) Site-to-Site VPN connections (cloud-onprem-vpn-connection)

- Routing options: Static

- Static IP prefixes: 192.168.0.0/16 (onprem-vpn range)

5) download VPN connections configurations - Platform: Openswan

4. SSH 접속

brew install putty
putty

Auth - Credentials - keypair.pem 경로

Session - Saved Sessions

IP: onprem-vpn-server's public IP

login as: ec2-user

ssh -i "ap-south-1-keypair.pem" ec2-user@35.x.x.x

 % sudo su
sh-3.2# ssh -i "ap-south-1-keypair.pem" ec2-user@35.154.187.78
The authenticity of host '35.x.x.x (35.x.x.x)' can't be established.
ED25519 key fingerprint is SHA256:qOx9yHXTxD6xaC9BfiT/Y5/82Ml/mVZzr5hNXnw9FQ8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '35.x.x.x' (ED25519) to the list of known hosts.
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
[ec2-user@ip-192-168-0-220 ~]$

sudo yum install libreswan
sudo vi /etc/sysctl.conf

1) Open /etc/sysctl.conf and ensure that its values match the following:
   net.ipv4.ip_forward = 1
   net.ipv4.conf.default.rp_filter = 0
   net.ipv4.conf.default.accept_source_route = 0

2) Apply the changes in step 1 by executing the command 'sysctl -p'

sudo sysctl -p

3) Open /etc/ipsec.conf and look for the line below. Ensure that the # in front of the line has been removed, then save and exit the file.
    #include /etc/ipsec.d/*.conf

이미 제거된 상태로 저장됨

cat /etc/ipsec.conf

4) Create a new file at /etc/ipsec.d/aws.conf if doesn't already exist, and then open it. Append the following configuration to the end in the file:
 #leftsubnet= is the local network behind your openswan server, and you will need to replace the <LOCAL NETWORK> below with this value (don't include the brackets). If you have multiple subnets, you can use 0.0.0.0/0 instead.
 #rightsubnet= is the remote network on the other side of your VPN tunnel that you wish to have connectivity with, and you will need to replace <REMOTE NETWORK> with this value (don't include brackets).

conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=35.x.x.x
right=13.x.x.x
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
auth=esp
keyingtries=%forever
keyexchange=ike
leftsubnet=<LOCAL NETWORK>
rightsubnet=<REMOTE NETWORK>
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer

sudo vi /etc/ipsec.d/aws.conf

conn Tunnel1
        authby=secret
        auto=start
        left=%defaultroute
        leftid=35.x.x.x
        right=13.x.x.x
        type=tunnel
        ikelifetime=8h
        keylife=1h
        phase2alg=aes256-sha1;modp2048
        ike=aes256-sha1;modp2048
        keyingtries=%forever
        keyexchange=ike
        leftsubnet=192.168.0.0/16
        rightsubnet=10.0.0.0/16
        dpddelay=10
        dpdtimeout=30
        dpdaction=restart_by_peer

5) Create a new file at /etc/ipsec.d/aws.secrets if it doesn't already exist, and append this line to the file (be mindful of the spacing!):
35.x.x.x 13.x.x.x: PSK "TOC3RK--------------------IUtns"

sudo vi /etc/ipsec.d/aws.secrets

Tunnel 1 구성 완료

sudo systemctl start ipsec.service
sudo systemctl status ipsec.service

5. Route Tables 설정 (propagation)

cloud-vpc-private-rt > Route propagation > Propagation: Enable

또는 Routes 편집 (cloud-vgw)

cloud-vpc-public-rt도 동일하게 설정

6. VPN 서버의 목적지 비활성화

Instances: onprem-vpn-server > Actions - Networking - Change Source / destination check > check Stop > Save

Route tables: cloud-vpc-public-rt > 10.0.0.0/16 instance (onprem-vpn-server)

7. Cloud Instance 접속

cloud-app-server public IP

ssh -i "ap-south-1-keypair.pem" ec2-user@3.x.x.x

ping (onprem-app-server)

From Cloud EC2 instance - Ping to on-premises App server private IP

Cloud EC2 -> VGW -> VPN Tunnel 1 -> VPN server -> App server

VPC DNS resolver 우선 순위

0. DNS firewall (R53 전용 Network Firewall)

1. Route 53 Resolver 규칙
   - 명시적으로 정의된 Outbound 규칙
   - 도메인 기반 포워딩 규칙

2. Private Hosted Zone
   - VPC와 연결된 프라이빗 호스팅 영역

$ dig example.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.13.9 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63355
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;saraheee.site.                 IN      A

;; AUTHORITY SECTION:
saraheee.site.          900     IN      SOA     ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 1 msec
;; SERVER: 192.168.0.2#53(192.168.0.2)
;; WHEN: Thu Feb 06 07:15:42 UTC 2025
;; MSG SIZE  rcvd: 129

3. Default VPC Resolver
   - VPC의 기본 .2 리졸버

$ cat /etc/resolv.conf
options timeout:2 attempts:5
; generated by /usr/sbin/dhclient-script
search anycompany.corp
nameserver 192.168.2.250
nameserver 192.168.0.2

4. Public DNS resolve 시도 (Route 53 Public Hosted Zone 포함)

$ dig example.com
; <<>> DiG 9.18.28 <<>> example.com;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6753
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;saraheee.site.                 IN      A

;; ANSWER SECTION:
saraheee.site.          30      IN      A       8.8.8.8

;; Query time: 1610 msec
;; SERVER: 10.0.0.2#53(10.0.0.2) (UDP)
;; WHEN: Thu Feb 06 07:15:47 UTC 2025;; MSG SIZE  rcvd: 58

아웃바운드 엔드포인트가 구성된 Resolver 규칙이 있는 경우, 프라이빗 호스팅 영역과 동일한 VPC에 연결되어 있을 때 리졸버 규칙이 우선적으로 적용될 수 있다.

다만 Private hosted zone이 VPC 내부에서만 작동하는 DNS라, dig +trace 시 공개적인 DNS 해석 과정이 포함된 root DNS와는 독립적으로 작동한다.