SSH to VPC instances

Table of Contents

Schema

How to deploy my App through a Virtual Private Cloud ? What is a Virtual Private Cloud ?

This picture will help your understanding of VPC :


CAPTION


This is a 3 tiers infrastructure where traffic from internet is intercepted by master load balancers (HAProxy). Master load balancer route traffic to its backend. This backend is a django application running with nginx and uwsgi. Django application store datas in a master posgresql database. Master posgresql database is replicated on a slave posgresql database.

Firewall rules :

  • IGW : Internet GateWay, pass traffic from internet to VPC with a blackhole route :
    • ROUTE 0.0.0.0 TO IGW
  • SG1 : Security Group 1 (NETWORK_CIDR : 192.168.10.0/24) :
    • ALLOW TCP FROM ANYWHERE ON PORTS 80,443
    • ALLOW TCP FROM OFFICE_IP ON PORT 22
    • ALLOW TCP FROM SG1 ON PORT 22
  • SG2 : Security Group 2 (NETWORK_CIDR : 192.168.20.0/24) :
    • ALLOW TCP FROM SG1 ON PORT 22
    • ALLOW TCP FROM SG1 ON PORTS 80,443
  • SG3 : Security Group 3 (NETWORK_CIDR : 192.168.30.0/24) :
    • ALLOW TCP FROM SG1 ON PORT 22
    • ALLOW TCP FROM SG2 ON PORT 5432

Networking & Hosts

SG#1 :

  • HAProxy#1 : 192.168.10.11 171.33.85.134
  • HAProxy#2 : 192.168.10.12

SG#2 :

  • Django#1 : 192.168.20.11
  • Django#2 : 192.168.20.12

SG#3

  • Postgres#1 : 192.168.30.11
  • Postgres#2 : 192.168.30.12

Requirements

  • A virtual private cloud (VPC)
  • SSH service running on a public host (host with public IP)
  • Host with public IP should to be able to connect to other hosts within the VPC
  • SSH client installed on client side
  • SSH agent on client side up and running

Configuration

It's very simple to ssh to django host or posgresql host with SSH. SSH provide

file : ~/.ssh/config :

Host 192.168.20.11
        User root
        IdentityFile ~/.ssh/demo.pem
        StrictHostKeyChecking no
        ForwardAgent yes
        ProxyCommand ssh -W %h:%p 171.33.85.134 -l root

Now let's test :

$ ssh 192.168.20.11
Last login: Tue Dec  8 22:34:25 2015 from ip-192-168-10-11.eu-west-2.compute.internal
[root@ip-192-168-20-11 ~]#

It's ok !

Note

Last login from HAProxy (ip : 192.168.10.11), that mean a new connection is made from the first host (171.33.85.134), and that's why an ssh connection from public host to private hosts is required.

root is used as the remote user, you should replace root with your own remote user.

Now it's possible to deploy softwares or custom configurations on private hosts through a VPC without any VPN nor DirectConnect !

Comments !