Git Product home page Git Product logo

access-amazon-fsx-through-clientvpn's Introduction

Access Amazon FSx for Windows through AWS ClientVPN

The purpose of this repository is to demo how a file share hosted in Amazon FSx for Windows can be remote and privately mounted into a client device through an AWS ClientVPN connection.

The Cloudformation template (main.yaml) deploys an AWS Managed Microsoft AD to allow for authentication and authorization to access the file share, an Amazon FSx file system to host the file shares, and an AWS Client VPN endpoint and gateway to enable remote access. To ensure high availability, the template deploys a VPC with six different subnets and spreads each component over two AWS Availability Zones.

You can read more in this blog post

Architecture

fsx-through-clientvpn

Prerequisites

ClientVPN support different authentication types: Active Directory Authentication, Mutual Authentication, and Single sign-on (SAML-based federated authentication) (user-based). For this demo we use Active Directory authentication but, regardless thee type chosen, a server certificate must be provisioned in AWS Certificate Manager.

Follow the steps above to generate the certificate:

  1. Clone the OpenVPN easy-rsa repo to your local computer and navigate to the easy-rsa/easyrsa3 folder.
git clone https://github.com/OpenVPN/easy-rsa.git

cd easy-rsa/easyrsa3
  1. Initialize a new PKI environment.
./easyrsa init-pki
  1. To build a new certificate authority (CA), run this command and follow the prompts.
./easyrsa build-ca nopass
  1. Generate the server certificate and key.
./easyrsa build-server-full server nopass
  1. Upload the server certificate and key to ACM. Be sure to upload them in the same Region in which you intend to create the Client VPN endpoint.
aws acm import-certificate --certificate fileb://pki/issued/server.crt --private-key fileb://pki/private/server.key --certificate-chain fileb://pki/ca.crt
  1. Save the certificate ARN returned by the previous command. [1]
{
    "CertificateArn": "arn:aws:acm:eu-west-1:123456789012:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
}

Launch the AWS Cloudformation Stack

Using AWS Console

Click on the Launch Stack button below to launch the CloudFormation Stack to set up the Amazon FSx file system demo in the region of your preference, by default this demo will be deployed in eu-west-1 (Ireland) region.

Launch CFN stack

Parameters required to provide:

  • Stack name: e.g. fsx-through-clientvpn.
  • VPN Server Certificate Arn: use value retrieved from [1].
  • AD Password: Set a password for your admin user of the AD. Make sure your password complies with AWS Managed Microsoft AD password requirements.

Using AWS CLI

You can launch the same stack using the AWS CLI. Here's an example:

aws cloudformation create-stack --stack-name fsx-through-clientvpn \
   --template-body file://main.yaml \
   --capabilities CAPABILITY_NAMED_IAM \
   --region eu-west-1 \
   --parameters  ParameterKey=VPNServerCertArn,ParameterValue=<CertificateArn>ParameterKey=ADPassword,ParameterValue=<YOUR_AD_PASSWORD>

How to mount and access to your file system

  1. Download AWS Client VPN for your OS here.
  2. Retrieve ClientVPN endpoint ID. This value can be found on the "Outputs" tab of your stack. Another way of accessing via CLI:
aws cloudformation describe-stacks --stack-name fsx-through-clientvpn \
   --query "Stacks[0].Outputs[0].OutputValue" \
   --region eu-west-1
  1. Download client configuration file.
  aws ec2 export-client-vpn-client-configuration \
  --client-vpn-endpoint-id <CLIENT_ENDPOINT_ID>  \
  --output text --region eu-west-1 >> client-config.ovpn
  1. Open AWS Client VPN, add a new profile and select the config file you just downloaded.
  2. Connect to the created profile. Enter your user name (admin) and password (<YOUR_AD_PASSWORD>), and click okay to connect.
  3. Retrieve the FSx DNS Name. This value can be found on the "Outputs" tab of your stack. Another way of accessing via CLI:
aws cloudformation describe-stacks --stack-name fsx-through-clientvpn \
   --query "Stacks[0].Outputs[1].OutputValue" \
   --region eu-west-1
  1. Mounting Amazon FSx file share The following steps show you how to mount your Amazon FSx file share on macOS.

macOS

Open a new Finder window. In the status bar, click on Go then Connect to server.

macos-fsx

In the connection window, enter smb:///share. When prompted, enter your administrator credentials.

Clean up

After completing your demo, delete AWS CloudFormation Stack using AWS Console or AWS CLI:

aws cloudformation delete-stack --stack-name fsx-through-clientvpn --region eu-west-1

aws acm delete-certificate \
   --certificate-arn arn:aws:acm:eu-west-1:123456789012:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee \
   --region eu-west-1

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Authors

  • Carmen Pino Cuevas
  • Serhat Gulbetekin

access-amazon-fsx-through-clientvpn's People

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.