6.4 Create a Custom VPC Part 3

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 27 minutes
Difficulty
Beginner
CEU/CPE
4
Video Transcription
00:00
Hello
00:01
and welcome back to
00:03
part three of our custom VPC creation lap.
00:07
In our last video, we launched too easy. Two instances
00:11
when our public sub net
00:13
and one in our private submit
00:15
in this video we will connect to both instances
00:18
by first connecting to our public instance
00:21
and then using it as a jump box to connect to our private instance.
00:26
So let's love back into the AWS console.
00:30
Let's type easy to To get back into the East Sea to dashboard.
00:41
We have to E. C. Two instances currently running
00:44
when in our public sub net and one in our private sub net.
00:48
So now let's go to the VPC dashboard.
01:00
We will filter on our custom vpc
01:06
Next. Let's click sub nets
01:10
again. I will filter on the sub disassociated with our custom. VPC.
01:15
If you recall, we placed our private sub net in the default VPC.
01:21
We will need to edit the default VPC security group to pret communication with our public sub net security group.
01:29
So click security group
01:33
filter on just our custom vpc security group
01:41
selected the False Security Group and then click inbound rules,
01:49
then edit rules,
01:53
so we will add a rule that says that the Custom VPC security group is permitted to access
01:59
our private easy to instance.
02:01
And for the purpose of this demo, we will permit all traffic from the custom VPC security group.
02:24
Now let's go back to the easy to dashboard and grab the I p address of our public. Easy to instance,
02:45
Copy it to the clipboard.
02:47
Now we will log into the easy to instance from my linens. Veum,
02:53
I'm already in the directory that contains my private key.
03:00
In previous lessons
03:01
I showed you how to log in tow are easy to instance by SS H and using the identity file flag.
03:12
Well, that works okay to a point.
03:15
For instance,
03:15
what happens when we have to log into multiple servers
03:19
or like, an hour design where we have placed our second server in the private subnet
03:25
how we log into it?
03:28
If the private key
03:29
in this case, the cyber Harry underscore d m z dot pin foul is actually stored
03:35
on my linens. VM
03:38
It's extremely insecure to store the private key on the jump box
03:43
or our internal private server.
03:46
Visualize the public key as a bank vault
03:51
the private key is the combination to the bank vault.
03:53
So is probably a really bad idea
03:57
to store those
03:59
both in the same place from a security standpoint.
04:02
So how do we solve this problem?
04:04
Well, there are a few ways that we could accomplish this, but the easiest way would be for us to use.
04:12
Sssh. Agent forwarding.
04:15
Sssh. Agent in Lenox distributions will permit us to place our private key and memory
04:20
and then forward it to the instance that we wish to access without having to attach the identity file.
04:29
So from a command line, we just type s s h dash, add
04:32
and
04:33
then paste in our private key.
04:36
This place is the key and memory
04:47
to see which key is in memory. Just type
04:50
as this h dash add
04:53
space
04:55
and then dash l
04:57
This will list the key that is in memory.
05:05
Then we could just type sshh
05:09
dash capital a
05:11
and then the user name and I p address of our public in distance.
05:15
The
05:16
dash capital, a parameter
05:18
archives, the key and memory,
05:20
and we'll pass it on to our instance for authentication.
05:27
How cool is the head?
05:29
So
05:30
now we have successfully authenticated to our public instance.
05:33
Next, let's attempt to log in to our private instance,
05:39
we log into our private servers from our public servers.
05:43
This concept is referred to as using a bastion hosts,
05:46
and it's a security best practice since we're only permitting access to our private instance from our bashing, host or jump box.
05:58
So I'll connect back to the AWS Council to get the I. P. Address of our private server.
06:09
Now back to our Lennox Veum.
06:11
Let's attempt to log into our private instance using the SS age dash agent again.
06:27
And presto,
06:28
we have successfully connected to our private server from our Bastian hosts.
06:36
I will type P W d to show our president working directory,
06:42
then try Yum update.
06:51
Well, first, I would need to make myself route.
07:00
Okay, so we're now route.
07:02
Let's try that yem update again
07:13
and we see that nothing happens.
07:15
Why do you think that is?
07:17
Well, if you recall
07:19
our private instance resides in sub net be
07:24
which does not have a public i p address. So therefore it's not rideable across the Internet.
07:30
How do you think we can overcome this obstacle?
07:33
You guessed it. We need to create a gnat gateway to translate our private I p to a public I p
07:41
We will create our net gateway in the next lesson. See you there.
Up Next