上記、「AWS Client VPN Basic ハンズオンのパターン2 Active Directory 認証 (ユーザーベース)」 をAWS CLIでやってみる
ハンズオンから引用
1.共通設定
共通設定は下記、「AWS Client VPN Basic ハンズオン パターン1 相互認証 (証明書ベース) をAWS CLIでやってみる」の項番1を参照
2.パターン2 Active Directory 認証 (ユーザーベース)
2-1. Directory Service の作成
変数設定 (ディレクトリの DNS 名)
コマンド
NAME='cvpn-hands-on.example.com' \
&& echo ${NAME}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ NAME='cvpn-hands-on.example.com' \
> && echo ${NAME}
cvpn-hands-on.example.com
変数設定(パスワード)
コマンド
PAWSSWORD=$(head -c 12 /dev/urandom | base64) \
&& echo ${PAWSSWORD}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ PAWSSWORD=$(head -c 12 /dev/urandom | base64) \
> && echo ${PAWSSWORD}
XlnegbozZdWe8kFp
変数設定(サイズ)
コマンド
SIZE='Small' \
&& echo ${SIZE}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ SIZE='Small' \
> && echo ${SIZE}
Small
コマンド
aws ds create-directory \
--name ${NAME} \
--password ${PAWSSWORD} \
--size ${SIZE} \
--vpc-settings VpcId=${VPC_ID},SubnetIds=${SUBNET_ID_1},${SUBNET_ID_2}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ds create-directory \
> --name ${NAME} \
> --password ${PAWSSWORD} \
> --size ${SIZE} \
> --vpc-settings VpcId=${VPC_ID},SubnetIds=${SUBNET_ID_1},${SUBNET_ID_2}
{
"DirectoryId": "d-95675e5505"
}
Directory Service ARNの取得
コマンド
DS_ARN=$( \
aws ds describe-directories \
--query "DirectoryDescriptions[?Name=='${NAME}'].DirectoryId" \
--output text
) \
&& echo ${DS_ARN}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ DS_ARN=$( \
> aws ds describe-directories \
> --query "DirectoryDescriptions[?Name=='${NAME}'].DirectoryId" \
> --output text
> ) \
> && echo ${DS_ARN}
d-95675e5505
2-2.クライアントVPNエンドポイントの作成
変数設定 (クライアントVPNエンドポイント名)
コマンド
CLIENT_VPN_ENDPOINT_NAME='cvpn-hands-on' \
&& echo ${CLIENT_VPN_ENDPOINT_NAME}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ CLIENT_VPN_ENDPOINT_NAME='cvpn-hands-on' \
> && echo ${CLIENT_VPN_ENDPOINT_NAME}
cvpn-hands-on
変数設定 (クライアント IPv4 CIDR)
コマンド
CLIENT_CIDR_BLOCK='192.168.252.0/22' \
&& echo ${CLIENT_CIDR_BLOCK}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ CLIENT_CIDR_BLOCK='192.168.252.0/22' \
> && echo ${CLIENT_CIDR_BLOCK}
192.168.252.0/22
クライアントVPNエンドポイントの作成
コマンド
aws ec2 create-client-vpn-endpoint \
--client-cidr-block ${CLIENT_CIDR_BLOCK} \
--server-certificate-arn ${SERVER_CERT_ARN} \
--authentication-options Type=directory-service-authentication,ActiveDirectory={DirectoryId=${DS_ARN}} \
--connection-log-options "Enabled=true,CloudwatchLogGroup=${LOG_GROUP_NAME},CloudwatchLogStream=${LOG_STREAM_NAME}" \
--tag-specifications "ResourceType=client-vpn-endpoint,Tags=[{Key=Name,Value=${CLIENT_VPN_ENDPOINT_NAME}}]" \
--vpc-id ${VPC_ID} \
--split-tunnel
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 create-client-vpn-endpoint \
> --client-cidr-block ${CLIENT_CIDR_BLOCK} \
> --server-certificate-arn ${SERVER_CERT_ARN} \
> --authentication-options Type=directory-service-authentication,ActiveDirectory={DirectoryId=${DS_ARN}} \
> --connection-log-options "Enabled=true,CloudwatchLogGroup=${LOG_GROUP_NAME},CloudwatchLogStream=${LOG_STREAM_NAME}" \
> --tag-specifications "ResourceType=client-vpn-endpoint,Tags=[{Key=Name,Value=${CLIENT_VPN_ENDPOINT_NAME}}]" \
> --vpc-id ${VPC_ID} \
> --split-tunnel
{
"ClientVpnEndpointId": "cvpn-endpoint-07d961a1fc107db21",
"Status": {
"Code": "pending-associate"
},
"DnsName": "cvpn-endpoint-07d961a1fc107db21.prod.clientvpn.ap-northeast-1.amazonaws.com"
}
クライアントVPNエンドポイントIDの取得
コマンド
VPN_ENDPOINT_ID=$( \
aws ec2 describe-client-vpn-endpoints \
--query 'ClientVpnEndpoints[?Tags[?Key==`Name` && Value==`'${CLIENT_VPN_ENDPOINT_NAME}'`]].ClientVpnEndpointId' \
--output text) \
&& echo ${VPN_ENDPOINT_ID}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ VPN_ENDPOINT_ID=$( \
> aws ec2 describe-client-vpn-endpoints \
> --query 'ClientVpnEndpoints[?Tags[?Key==`Name` && Value==`'${CLIENT_VPN_ENDPOINT_NAME}'`]].ClientVpnEndpointId' \
> --output text) \
> && echo ${VPN_ENDPOINT_ID}
cvpn-endpoint-07d961a1fc107db21
2-3.ターゲットネットワークへのクライアント VPN の関連付けの作成
関連付け1
コマンド
aws ec2 associate-client-vpn-target-network \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--subnet-id ${SUBNET_ID_3}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 associate-client-vpn-target-network \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --subnet-id ${SUBNET_ID_3}
{
"AssociationId": "cvpn-assoc-04c2c4222ffa8982d",
"Status": {
"Code": "associating"
}
}
関連付け2
コマンド
aws ec2 associate-client-vpn-target-network \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--subnet-id ${SUBNET_ID_4}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 associate-client-vpn-target-network \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --subnet-id ${SUBNET_ID_4}
{
"AssociationId": "cvpn-assoc-0323b379bea40c21d",
"Status": {
"Code": "associating"
}
}
2-4.認証ルールの追加
変数設定 (ターゲット CIDR)
コマンド
TARGET_NETWORK_CIDR=${VPC_CIDR_BLOCK} \
&& echo ${TARGET_NETWORK_CIDR}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ TARGET_NETWORK_CIDR=${VPC_CIDR_BLOCK} \
> && echo ${TARGET_NETWORK_CIDR}
10.255.0.0/16
認証ルールの追加
コマンド
aws ec2 authorize-client-vpn-ingress \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--target-network-cidr ${TARGET_NETWORK_CIDR} \
--authorize-all-groups
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 authorize-client-vpn-ingress \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --target-network-cidr ${TARGET_NETWORK_CIDR} \
> --authorize-all-groups
{
"Status": {
"Code": "authorizing"
}
}
2-5.クライアントVPNエンドポイントのルートテーブルを確認
コマンド
aws ec2 describe-client-vpn-routes \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 describe-client-vpn-routes \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
{
"Routes": [
{
"ClientVpnEndpointId": "cvpn-endpoint-07d961a1fc107db21",
"DestinationCidr": "10.255.0.0/16",
"TargetSubnet": "subnet-02a12bd5821458acf",
"Type": "Nat",
"Origin": "associate",
"Status": {
"Code": "creating"
},
"Description": "Default Route"
},
{
"ClientVpnEndpointId": "cvpn-endpoint-07d961a1fc107db21",
"DestinationCidr": "10.255.0.0/16",
"TargetSubnet": "subnet-0bbff2eb355dc5746",
"Type": "Nat",
"Origin": "associate",
"Status": {
"Code": "creating"
},
"Description": "Default Route"
}
]
}
2-6.詳細確認
コマンド
aws ec2 describe-client-vpn-endpoints \
--client-vpn-endpoint-ids ${VPN_ENDPOINT_ID}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 describe-client-vpn-endpoints \
> --client-vpn-endpoint-ids ${VPN_ENDPOINT_ID}
{
"ClientVpnEndpoints": [
{
"ClientVpnEndpointId": "cvpn-endpoint-07d961a1fc107db21",
"Description": "",
"Status": {
"Code": "available"
},
"CreationTime": "2024-06-01T05:38:39",
"DnsName": "*.cvpn-endpoint-07d961a1fc107db21.prod.clientvpn.ap-northeast-1.amazonaws.com",
"ClientCidrBlock": "192.168.252.0/22",
"SplitTunnel": true,
"VpnProtocol": "openvpn",
"TransportProtocol": "udp",
"VpnPort": 443,
"ServerCertificateArn": "arn:aws:acm:ap-northeast-1:999999999999:certificate/3d3528f8-8c50-475b-b446-f3244f57e44d",
"AuthenticationOptions": [
{
"Type": "directory-service-authentication",
"ActiveDirectory": {
"DirectoryId": "d-95675e5505"
}
}
],
"ConnectionLogOptions": {
"Enabled": true,
"CloudwatchLogGroup": "/aws/clientvpn",
"CloudwatchLogStream": "connection-log"
},
"Tags": [
{
"Key": "Name",
"Value": "cvpn-hands-on"
}
],
"SecurityGroupIds": [
"sg-058ace8919da5edd3"
],
"VpcId": "vpc-0f1e6c01fc104b72c",
"SelfServicePortalUrl": "https://self-service.clientvpn.amazonaws.com/endpoints/cvpn-endpoint-07d961a1fc107db21",
"ClientConnectOptions": {
"Enabled": false,
"Status": {
"Code": "applied"
}
},
"SessionTimeoutHours": 24,
"ClientLoginBannerOptions": {
"Enabled": false
}
}
]
}
2-7.接続の確認
コマンド
aws ec2 describe-client-vpn-connections \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 describe-client-vpn-connections \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
{
"Connections": [
{
"ClientVpnEndpointId": "cvpn-endpoint-07d961a1fc107db21",
"Timestamp": "2024-06-01 06:21:36",
"ConnectionId": "cvpn-connection-04d19e3460931c072",
"Username": "Administrator",
"ConnectionEstablishedTime": "2024-06-01 06:17:34",
"IngressBytes": "14257",
"EgressBytes": "10885",
"IngressPackets": "262",
"EgressPackets": "229",
"ClientIp": "192.168.252.2",
"Status": {
"Code": "active"
},
"ConnectionEndTime": "-"
}
]
}
2-8.CloudWatchログの確認
コマンド
aws logs get-log-events \
--log-group-name ${LOG_GROUP_NAME} \
--log-stream-name ${LOG_STREAM_NAME} \
--output table
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws logs get-log-events \
> --log-group-name ${LOG_GROUP_NAME} \
> --log-stream-name ${LOG_STREAM_NAME} \
> --output table
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| GetLogEvents |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| nextBackwardToken | b/38295381629927345950455340958366542559517736373235482624/s |
| nextForwardToken | f/38295381629927345950455340958366542559517736373235482625/s |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|| events ||
|+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+|
|| ingestionTime | message | timestamp ||
|+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+|
|| 1717224303039| {"connection-log-type": "connection-attempt", "connection-attempt-status": "successful", "connection-attempt-failure-reason": "NA", "connection-id": "cvpn-connection-04d19e3460931c072", "client-vpn-endpoint-id": "cvpn-endpoint-07d961a1fc107db21", "transport-protocol": "udp", "connection-start-time": "2024-06-01 06:17:34", "connection-last-update-time": "2024-06-01 06:17:34", "client-ip": "192.168.252.2", "username": "Administrator", "device-type": "win", "device-ip": "***.**.***.**", "port": "46760", "ingress-bytes": "0", "egress-bytes": "0", "ingress-packets": "0", "egress-packets": "0", "connection-end-time": "NA", "connection-duration-seconds": "0"} | 1717224303000 ||
|| 1717224303039| {"connection-log-type": "connection-reset", "connection-attempt-status": "NA", "connection-attempt-failure-reason": "NA", "connection-id": "cvpn-connection-04d19e3460931c072", "client-vpn-endpoint-id": "cvpn-endpoint-07d961a1fc107db21", "transport-protocol": "udp", "connection-start-time": "2024-06-01 06:17:34", "connection-last-update-time": "2024-06-01 06:29:16", "client-ip": "192.168.252.2", "username": "Administrator", "device-type": "win", "device-ip": "***.**.***.**", "port": "46760", "ingress-bytes": "30321", "egress-bytes": "26981", "ingress-packets": "657", "egress-packets": "627", "connection-end-time": "2024-06-01 06:29:16", "connection-reset-status": "NA", "connection-duration-seconds": "702"} | 1717224303000 ||
|+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+|
3.リソースの削除
3-1.クライアントVPN エンドポイントの削除
関連付けIDの取得 1
コマンド
ASSOCIATIONID_1=$( \
aws ec2 describe-client-vpn-target-networks \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--query "ClientVpnTargetNetworks[?TargetNetworkId=='${SUBNET_ID_3}'].AssociationId" \
--output text) \
&& echo ${ASSOCIATIONID_1}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ ASSOCIATIONID_1=$( \
> aws ec2 describe-client-vpn-target-networks \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --query "ClientVpnTargetNetworks[?TargetNetworkId=='${SUBNET_ID_3}'].AssociationId" \
> --output text) \
> && echo ${ASSOCIATIONID_1}
cvpn-assoc-04c2c4222ffa8982d
関連付けIDの削除 1
コマンド
aws ec2 disassociate-client-vpn-target-network \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--association-id ${ASSOCIATIONID_1}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 disassociate-client-vpn-target-network \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --association-id ${ASSOCIATIONID_1}
{
"AssociationId": "cvpn-assoc-04c2c4222ffa8982d",
"Status": {
"Code": "disassociating"
}
}
関連付けIDの取得 2
コマンド
ASSOCIATIONID_2=$( \
aws ec2 describe-client-vpn-target-networks \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--query "ClientVpnTargetNetworks[?TargetNetworkId=='${SUBNET_ID_4}'].AssociationId" \
--output text) \
&& echo ${ASSOCIATIONID_2}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ ASSOCIATIONID_2=$( \
> aws ec2 describe-client-vpn-target-networks \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --query "ClientVpnTargetNetworks[?TargetNetworkId=='${SUBNET_ID_4}'].AssociationId" \
> --output text) \
> && echo ${ASSOCIATIONID_2}
cvpn-assoc-0323b379bea40c21d
関連付けIDの削除 2
コマンド
aws ec2 disassociate-client-vpn-target-network \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--association-id ${ASSOCIATIONID_2}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 disassociate-client-vpn-target-network \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --association-id ${ASSOCIATIONID_2}
{
"AssociationId": "cvpn-assoc-0323b379bea40c21d",
"Status": {
"Code": "disassociating"
}
}
クライアントVPNエンドポイントの削除
コマンド
aws ec2 delete-client-vpn-endpoint --client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 delete-client-vpn-endpoint --client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
{
"Status": {
"Code": "deleting"
}
}
3-2.ACMに登録した証明書の削除
サーバ証明書の削除
コマンド
aws acm delete-certificate \
--certificate-arn ${SERVER_CERT_ARN}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws acm delete-certificate \
> --certificate-arn ${SERVER_CERT_ARN}
クライアント証明書の削除
コマンド
aws acm delete-certificate \
--certificate-arn ${CLIDNG_CERT_ARN}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws acm delete-certificate \
> --certificate-arn ${CLIDNG_CERT_ARN}
3-3.Directory Service の削除
コマンド
aws ds delete-directory --directory-id ${DS_ARN}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ds delete-directory --directory-id ${DS_ARN}
{
"DirectoryId": "d-95675e5505"
}
3-4.ログの出力先の削除
コマンド
aws logs delete-log-group \
--log-group-name ${LOG_GROUP_NAME}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws logs delete-log-group \
> --log-group-name ${LOG_GROUP_NAME}
3-5.EC2 インスタンスの削除
EC2 インスタンスIDの確認
コマンド
EC2_INSTANCE_ID=$( \
aws ec2 describe-instances \
--filters Name=tag:Name,Values="${INSTANCE_NAME}" \
--query "Reservations[*].Instances[*].[InstanceId]" \
--output text
) \
&& echo ${EC2_INSTANCE_ID}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ EC2_INSTANCE_ID=$( \
> aws ec2 describe-instances \
> --filters Name=tag:Name,Values="${INSTANCE_NAME}" \
> --query "Reservations[*].Instances[*].[InstanceId]" \
> --output text
> ) \
> && echo ${EC2_INSTANCE_ID}
i-0d8fd30c4475262b5
EC2 インスタンスの削除
コマンド
aws ec2 terminate-instances \
--instance-ids ${EC2_INSTANCE_ID}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 terminate-instances \
> --instance-ids ${EC2_INSTANCE_ID}
{
"TerminatingInstances": [
{
"CurrentState": {
"Code": 32,
"Name": "shutting-down"
},
"InstanceId": "i-0d8fd30c4475262b5",
"PreviousState": {
"Code": 16,
"Name": "running"
}
}
]
}
EC2セキュリティグループの削除
コマンド
aws ec2 delete-security-group \
--group-id ${SECURITY_GROUP_ID}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 delete-security-group \
> --group-id ${SECURITY_GROUP_ID}
3-6. VPCの削除
サブネット削除
コマンド
aws ec2 delete-subnet --subnet-id ${SUBNET_ID_1}
aws ec2 delete-subnet --subnet-id ${SUBNET_ID_2}
aws ec2 delete-subnet --subnet-id ${SUBNET_ID_3}
aws ec2 delete-subnet --subnet-id ${SUBNET_ID_4}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 delete-subnet --subnet-id ${SUBNET_ID_1}
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 delete-subnet --subnet-id ${SUBNET_ID_2}
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 delete-subnet --subnet-id ${SUBNET_ID_3}
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 delete-subnet --subnet-id ${SUBNET_ID_4}
VPC削除
コマンド
aws ec2 delete-vpc --vpc-id ${VPC_ID}
出力
[cloudshell-user@ip-10-130-63-118 ~]$ aws ec2 delete-vpc --vpc-id ${VPC_ID}