Virtual Private Cloud with VPN Access for SAP Trials provided as Virtual Appliance
In this tutorial I’m showing all the steps required to set up a virtual private cloud (VPC) on AWS with VPN access for your trial instances provided as virtual appliances by the SAP Cloud Appliance Library. The proposed setup consists of a VPC with internet gateway, an Open VPN access server in the public subnet of the VPC, and your trial instance in the private subnet of the VPC, as illustrated in the drawing below.
Remark: Alternatively, you may follow this tutorial which shows a much quicker, but less secure approach.
Please keep in mind that this is just a proposal to get you started quickly and only one variant how to realize such a scenario in a fairly secure way. There are a lot more installation and configuration options which are not shown below. Thus, this might not be the perfect setup for your personal use case. So please also consider alternative scenarios explained in the VPC documentation. In addition, we always recommend to set up a billing alert for your AWS account to avoid unpleasant surprises.
Section 1: Creating the VPC with public and private subnet
As a prerequisite for this section I assume that you already have a valid Amazon Web Services (AWS) account. Otherwise navigate to the AWS homepage and sign up.
- Sign in to the AWS console of your AWS account: https://console.aws.amazon.com/console/home
- Navigate to the VPC Dashboard and select the region US East.
- Click on the Start VPC Wizard button.
- Select VPC with a Single Public Subnet Only and click Continue.
- On the next screen use the default settings (VPC: 10.0.0.0/16; public subnet: 10.0.0.0/24) and click Create VPC.
- After your VPC has been created navigate to Route Tables in the navigation pane and click on the custom route table associated with your subnet (Main attribute = No).
- Besides the local route the custom route table of this public subnet contains a route enabling traffic destined for an IP address outside your VPC via the associated internet gateway.
- You can verify that the main route table of your VPC only enables the local route but no route to the Internet.
- Navigate to Security Groups in the navigation pane and click on the default VPC security group and delete all existing inbound and outbound rules and apply the rule changes.
- Navigate to Subnets in the navigation pane and click Create Subnet.
- Create a private subnet within your existing VPC, choose the same availability zone as your public subnet, but define a separate CIDR block (private subnet: 10.0.1.0/24).
- Verify that the private subnet is using the main route table which only contains the public subnet as local destination.
Section 2: Launching the OpenVPN server into the public subnet of your VPC
- Navigate to the VPC Dashboard and verify that you are still using the region US East.
- Click the Launch Instance button and select the Classic Wizard.
- Navigate to the AWS Marketplace tab and search for OpenVPN.
- Choose the OpenVPN Access Server, navigate to the Launch with EC2 Console tab and hit the Launch with EC2 Console button in the region US East.
- Review the AMI details and click Continue in the wizard.
- In the Instance Details dialog choose T1 Micro as instance type and select your public subnet (e.g. 10.0.0.0/24) in the EC2-VPC tab. Finally, hit the Continue button.
- On the next screen use the default values and assign a static IP (e.g. 10.0.0.99) to the eth0 network adapter of your OpenVPN server. Then hit the Continue button.
- Review the default storage settings and hit the Continue button.
- In the tags dialog enter OpenVPN server as value for the Name key and hit Continue.
- On the next screen select Create a new key pair, enter a name and click the Create & Download your Key Pair button. Store this key pair of your instance in a safe place.
- In the Configure Firewall dialog select Create new Security Group, name it OpenVPN and add inbound rules for TCP port 22 (SSH), TCP port 443 (HTTPS for the OpenVPN WebUI) and UDP port 1194 (UDP based VPN) as shown in the screenshot.
Important remark: We even recommend to restrict access to these ports to trusted IP addresses, i.e. the IP address range of your company or your ISP.
- Hit the Continue button, review your launch configuration and hit the Launch button.
- Navigate to Instances in the navigation pane, wait until your instance launched successfully.
- Select your OpenVPN server instance and use the Actions menu to Change the Source/Destination check to disabled.
- Now navigate to Elastic IPs in the navigation pane, click the Allocate New Address, and select EIP used in VPC.
- Select the new EIP address, hit the Associate Address button and select the instance ID and IP of your OpenVPN server. Finally, confirm with Yes, Associate.
Section 3: Connecting to your OpenVPN server using SSH
- Extract the private key from your openVPN instance key pair that you downloaded during instance creation. Use PuTTYgen or a similar tool to import the key pair and save the private key as ppk file.
- Download and install an SSH client like PuTTY for your OS.
- Open your SSH client, enter the Elastic IP of your openVPN server and load the exported private key file for authentication in the SSH-Auth section.
- Enter openvpnas as Auto-login username in the Connection-Data section and hit the Open button to log into your openVPN server.
- Proceed with the configuration of the openVPN server using the default settings. For more information consult the corresponding Quick Start Guide.
- Now define a password for your openVPN admin user (default was openvpn) by running sudo passwd openvpn (or using your username) in the secure shell.
- Open the Admin WebUI using https://YourEIP/admin and log in with your admin user openvpn and your new password.
- Navigate to the Server Network Settings and verify, that your elastic IP corresponds to the Hostname setting.
- Navigate to the Routing section of the VPN Settings and verify, that the CIDR block of your VPC (10.0.0.0/16) is specified as private subnet for access using NAT.
- Now you are done with the basic configuration of your OpenVPN server, log out of the Admin WebUI and exit the secure shell.
Remark: For security reasons you can also create non-admin VPN users in the User Management section of the Admin WebUI.
- Download and install an OpenVPN client for your OS (if you don’t already have one).
- Run the OpenVPN client and test your VPN connection by entering the Elastic IP of your OpenVPN server and log on with your VPN user (e.g. openvpn).
- Verify that the VPN connection to your VPC has been established successfully.
Section 4: Launching the trial instance into the private subnet of your VPC
As prerequisite for this section I assume that you already purchased your trial solution in the SAP Store and registered your AWS account in the Test Drive Center for the SAP Cloud Appliance Library (CAL TDC) as shown in our video tutorial.
- Enter your CAL TDC account and navigate to the Solutions tab. Activate the trial solution you want to instantiate (if not already done) and hit Create Instance.
- In the Define General Properties dialog enter a name, select AWS (Amazon) as IaaS provider, choose us-east-1 as region and select Access From Corporate Network and choose your private subnet (e.g. 10.0.1.0/24).
- In the Configure Virtual Machine dialog review the Virtual Machine Size (choose the recommended size) and the access points of your instance (defaults should be fine unless you have specific requirements).
- In the next dialog set the master password for your trial instance (used for several system users as documented in the corresponding user guide).
- In the following dialogs you can configure a schedule (optional) and complement your cost forecast (optional).
- Finally review your trial instance properties and hit the Finish button.
- Store and download the key pair of your trial instance in a safe place. As shown above you can export the private key of your trial instance with PuTTYgen as ppk file.
- Wait until the initial provisioning process finished and your trial instance is up and running.
- Click on your running trial instance and copy the IP address to your clipboard. For your convenience, add the IP to hostname mapping to your local /etc/hosts file. This enables you to use the hostname of your trial instance in SAP GUI or other local clients.
That’s basically it! Use your VPN client to connect to your VPC and work with your trial instance. For example you can now SSH into your trial instance as root using its private key file or connect via SAP GUI with one of the predefined SAP users. Of course, you can deploy additional systems into the private subnet of your VPC if required.