In this tutorial I’m showing all the steps required to set up a virtual private cloud (VPC) on AWS with VPN access for your trial instances provided as virtual appliances by the SAP Cloud Appliance Library. The proposed setup consists of a VPC with internet gateway, an Open VPN access server in the public subnet of the VPC, and your trial instance in the private subnet of the VPC, as illustrated in the drawing below.

Remark: Alternatively, you may follow this tutorial which shows a much quicker, but less secure approach.

VPC_landscape_01.PNG

Disclaimer

Please keep in mind that this is just a proposal to get you started quickly and only one variant how to realize such a scenario in a fairly secure way. There are a lot more installation and configuration options which are not shown below. Thus, this might not be the perfect setup for your personal use case. So please also consider alternative scenarios explained in the VPC documentation. In addition, we always recommend to set up a billing alert for your AWS account to avoid unpleasant surprises.

Section 1: Creating the VPC with public and private subnet

As a prerequisite for this section I assume that you already have a valid Amazon Web Services (AWS) account. Otherwise navigate to the AWS homepage and sign up.

  1. Sign in to the AWS console of your AWS account: https://console.aws.amazon.com/console/home
  2. Navigate to the VPC Dashboard and select the region US East.
  3. Click on the Start VPC Wizard button.
  4. Select VPC with a Single Public Subnet Only and click Continue.
    VPC_01.PNG
  5. On the next screen use the default settings (VPC: 10.0.0.0/16; public subnet: 10.0.0.0/24) and click Create VPC.
    VPC_02.PNG
  6. After your VPC has been created navigate to Route Tables in the navigation pane and click on the custom route table associated with your subnet (Main attribute = No).
  7. Besides the local route the custom route table of this public subnet contains a route enabling traffic destined for an IP address outside your VPC via the associated internet gateway.
    route_table_01.PNG
  8. You can verify that the main route table of your VPC only enables the local route but no route to the Internet.
    route_table_02.PNG
  9. Navigate to Security Groups in the navigation pane and click on the default VPC security group and delete all existing inbound and outbound rules and apply the rule changes.
  10. Navigate to Subnets in the navigation pane and click Create Subnet.
  11. Create a private subnet within your existing VPC, choose the same availability zone as your public subnet, but define a separate CIDR block (private subnet: 10.0.1.0/24).
    privateSubnet_01.PNG
  12. Verify that the private subnet is using the main route table which only contains the public subnet as local destination.
    privateSubnet_02.PNG

Section 2: Launching the OpenVPN server into the public subnet of your VPC

  1. Navigate to the VPC Dashboard and verify that you are still using the region US East.
  2. Click the Launch Instance button and select the Classic Wizard.
  3. Navigate to the AWS Marketplace tab and search for OpenVPN.
    VPNserver_01.PNG
  4. Choose the OpenVPN Access Server, navigate to the Launch with EC2 Console tab and hit the Launch with EC2 Console button in the region US East.
    VPNserver_03b.PNG
  5. Review the AMI details and click Continue in the wizard.
  6. In the Instance Details dialog choose T1 Micro as instance type and select your public subnet (e.g. 10.0.0.0/24) in the EC2-VPC tab. Finally, hit the Continue button.
    VPNserver_05.PNG
  7. On the next screen use the default values and assign a static IP (e.g. 10.0.0.99) to the eth0 network adapter of your OpenVPN server. Then hit the Continue button.
    VPNserver_06.PNG
  8. Review the default storage settings and hit the Continue button.
  9. In the tags dialog enter OpenVPN server as value for the Name key and hit Continue.
  10. On the next screen select Create a new key pair, enter a name and click the Create & Download your Key Pair button. Store this key pair of your instance in a safe place.
    VPNserver_09.PNG
  11. In the Configure Firewall dialog select Create new Security Group, name it OpenVPN and add inbound rules for TCP port 22 (SSH), TCP port 443 (HTTPS for the OpenVPN WebUI) and UDP port 1194 (UDP based VPN) as shown in the screenshot.
    VPNserver_11.PNG
    Important remark: We even recommend to restrict access to these ports to trusted IP addresses, i.e. the IP address range of your company or your ISP.
  12. Hit the Continue button, review your launch configuration and hit the Launch button.
  13. Navigate to Instances in the navigation pane, wait until your instance launched successfully.
  14. Select your OpenVPN server instance and use the Actions menu to Change the Source/Destination check to disabled.
    VPNserver_13.PNG
  15. Now navigate to Elastic IPs in the navigation pane, click the Allocate New Address, and select EIP used in VPC.
    eIP_01.PNG
  16. Select the new EIP address, hit the Associate Address button and select the instance ID and IP of your OpenVPN server. Finally, confirm with Yes, Associate.
    eIP_03.PNG

Section 3: Connecting to your OpenVPN server using SSH

  1. Extract the private key from your openVPN instance key pair that you downloaded during instance creation. Use PuTTYgen or a similar tool to import the key pair and save the private key as ppk file.
    SSH_01.PNG
  2. Download and install an SSH client like PuTTY for your OS.
  3. Open your SSH client, enter the Elastic IP of your openVPN server and load the exported private key file for authentication in the SSH-Auth section.
    SSH_03.PNG
  4. Enter openvpnas as Auto-login username in the Connection-Data section and hit the Open button to log into your openVPN server.
  5. Proceed with the configuration of the openVPN server using the default settings. For more information consult the corresponding Quick Start Guide.
    SSH_04.PNG
  6. Now define a password for your openVPN admin user (default was openvpn) by running sudo passwd openvpn (or using your username) in the secure shell.
  7. Open the Admin WebUI using https://YourEIP/admin and log in with your admin user openvpn and your new password.
  8. Navigate to the Server Network Settings and verify, that your elastic IP corresponds to the Hostname setting.
  9. Navigate to the Routing section of the VPN Settings and verify, that the CIDR block of your VPC (10.0.0.0/16) is specified as private subnet for access using NAT.
  10. Now you are done with the basic configuration of your OpenVPN server, log out of the Admin WebUI and exit the secure shell.
    Remark: For security reasons you can also create non-admin VPN users in the User Management section of the Admin WebUI.
  11. Download and install an OpenVPN client for your OS (if you don’t already have one).
  12. Run the OpenVPN client and test your VPN connection by entering the Elastic IP of your OpenVPN server and log on with your VPN user (e.g. openvpn).
    openVPN_04.PNG
  13. Verify that the VPN connection to your VPC has been established successfully.

Section 4: Launching the trial instance into the private subnet of your VPC

As prerequisite for this section I assume that you already purchased your trial solution in the SAP Store and registered your AWS account in the Test Drive Center for the SAP Cloud Appliance Library (CAL TDC) as shown in our video tutorial.

  1. Enter your CAL TDC account and  navigate to the Solutions tab. Activate the trial solution you want to instantiate (if not already done) and hit Create Instance.
  2. In the Define General Properties dialog enter a name, select AWS (Amazon) as IaaS provider, choose us-east-1 as region and select Access From Corporate Network and choose your private subnet (e.g. 10.0.1.0/24).
    CAL_instance_01.PNG
  3. In the Configure Virtual Machine dialog review the Virtual Machine Size (choose the recommended size) and the access points of your instance (defaults should be fine unless you have specific requirements).
  4. In the next dialog set the master password for your trial instance (used for several system users as documented in the corresponding user guide).
  5. In the following dialogs you can configure a schedule (optional) and complement your cost forecast (optional).
  6. Finally review your trial instance properties and hit the Finish button.
    CAL_instance_02.PNG
  7. Store and download the key pair of your trial instance in a safe place. As shown above you can export the private key of your trial instance with PuTTYgen as ppk file.
  8. Wait until the initial provisioning process finished and your trial instance is up and running.
  9. Click on your running trial instance and copy the IP address to your clipboard. For your convenience, add the IP to hostname mapping to your local /etc/hosts file. This enables you to use the hostname of your trial instance in SAP GUI or other local clients.
    hostname_etc_hosts_01.PNG

That’s basically it! Use your VPN client to connect to your VPC and work with your trial instance. For example you can now SSH into your trial instance as root using its private key file or connect via SAP GUI with one of the predefined SAP users. Of course, you can deploy additional systems into the private subnet of your VPC if required.

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Hannes Kuehnemund

    Hi Christopher,

    this is an awesome guide. The step-by-step nature of this blog is essentail in case the user is not yet familiar with the AWS webconsole. 5 stars for your outstanding contribution!

    Regards,

      Hannes

    (0) 
  2. Donald James Elemento

    Great guide!

    Have you heard of a bastion host? that’s another way of getting into your EC2 instance without having to setup VPN. Management becomes easy and still very secure especially if you want to put up only a few trial systems on AWS

    (0) 
  3. Martin English

    I couldn’t find the default password for user openvpn  – This meant I couldn’t connect to the web admin, nor could I use my VPN client (since the only user I had was openvpn).

    I was able to connect to the OpenVPN appliance via SSH tho, so rather than terminate the appliance and start again (and defining the password as specified in https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/ ) I changed the password for user openvpn oas follows;

    openvpn@openvpnas2:~$ sudo passwd openvpn

    Enter new UNIX password:

    Retype new UNIX password:

    passwd: password updated successfully

    openvpn@openvpnas2:~$

    hth

    (1) 
  4. Andrean Kurin

    Thank you Christopher, your excellent guide helped me a lot!

    I have some comments, perhaps they can help to someone:

    1.)    Sequence of doing things: I created firstly my SAP trial instance and only after that went for the vpn solution. This way seemed to me simpler.

    2.)    It seems that the OpenVPN client is not available anymore for download from the OpenVPN site, or at least it looks now different, configuration of OpenVPN Gui seems to be more complicated than it used to be. There is however still a way to download the OpenVPN client, from our OpenVPN instance itself.

    To download the “OpenVPN client” you should enter the IP of your OpenVPN server into a browser, enter your user/password, switch to “login” and choose “Go”.

    Regarding this topic, the following guides could be also useful:

    https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/

    http://resources.intenseschool.com/amazon-aws-howto-connect-to-vpc-using-openvpn/

    Best Regards,

    Andrean

    (0) 

Leave a Reply