上記「AWS Client VPN Basic ハンズオンのパターン1 相互認証 (証明書ベース) 」をAWS CLIでやってみる
ハンズオンから引用
1.共通設定
1-1.VPCの作成
変数設定 (IPv4 VPC CIDR block)
コマンド
VPC_CIDR_BLOCK="10.255.0.0/16" \
&& echo ${VPC_CIDR_BLOCK}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ VPC_CIDR_BLOCK="10.255.0.0/16" \
> && echo ${VPC_CIDR_BLOCK}
10.255.0.0/16
変数設定 (VPC名)
コマンド
VPC_NAME="cvpn-hands-on" \
&& echo ${VPC_NAME}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ VPC_NAME="cvpn-hands-on" \
> && echo ${VPC_NAME}
cvpn-hands-on
VPCの作成
コマンド
aws ec2 create-vpc \
--cidr-block ${VPC_CIDR_BLOCK} \
--tag-specifications "ResourceType=vpc,Tags=[{Key=Name,Value=${VPC_NAME}}]"
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 create-vpc \
> --cidr-block ${VPC_CIDR_BLOCK} \
> --tag-specifications "ResourceType=vpc,Tags=[{Key=Name,Value=${VPC_NAME}}]"
{
"Vpc": {
"CidrBlock": "10.255.0.0/16",
"DhcpOptionsId": "dopt-0e7d97fbb33a62ce1",
"State": "pending",
"VpcId": "vpc-075b8036a1049e579",
"OwnerId": "999999999999",
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": [],
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-03953a30c008eb714",
"CidrBlock": "10.255.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false,
"Tags": [
{
"Key": "Name",
"Value": "cvpn-hands-on"
}
]
}
}
1-2.VPC IDの取得
コマンド
VPC_ID=$( \
aws ec2 describe-vpcs \
--filters "Name=tag:Name,Values=${VPC_NAME}" \
--query "Vpcs[0].VpcId" \
--output text\
)\
&& echo ${VPC_ID}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ VPC_ID=$( \
> aws ec2 describe-vpcs \
> --filters "Name=tag:Name,Values=${VPC_NAME}" \
> --query "Vpcs[0].VpcId" \
> --output text\
> )\
> && echo ${VPC_ID}
vpc-075b8036a1049e579
1-3.サブネットの作成1
変数設定 (CIDRブロック)
コマンド
CIDR_BLOCK_1="10.255.1.0/24" \
&& echo ${CIDR_BLOCK_1}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ CIDR_BLOCK_1="10.255.1.0/24" \
> && echo ${CIDR_BLOCK_1}
10.255.1.0/24
変数設定 (アベイラビリティゾーン)
コマンド
AZ_1="ap-northeast-1a" \
&& echo ${AZ_1}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ AZ_1="ap-northeast-1a" \
> && echo ${AZ_1}
ap-northeast-1a
変数設定 (サブネット名)
コマンド
SUBNET_NAME_1="subnet1" \
&& echo ${SUBNET_NAME_1}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SUBNET_NAME_1="subnet1" \
> && echo ${SUBNET_NAME_1}
subnet1
サブネットの作成
コマンド
aws ec2 create-subnet \
--vpc-id ${VPC_ID} \
--cidr-block ${CIDR_BLOCK_1} \
--availability-zone ${AZ_1} \
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=${SUBNET_NAME_1}}]"
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 create-subnet \
> --vpc-id ${VPC_ID} \
> --cidr-block ${CIDR_BLOCK_1} \
> --availability-zone ${AZ_1} \
> --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=${SUBNET_NAME_1}}]"
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.255.1.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0dfd2af5a235620b5",
"VpcId": "vpc-075b8036a1049e579",
"OwnerId": "999999999999",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "subnet1"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:999999999999:subnet/subnet-0dfd2af5a235620b5",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
}
}
サブネット IDの取得
コマンド
SUBNET_ID_1=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${VPC_ID} \
Name=tag:Name,Values="${SUBNET_NAME_1}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${SUBNET_ID_1}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SUBNET_ID_1=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${VPC_ID} \
> Name=tag:Name,Values="${SUBNET_NAME_1}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${SUBNET_ID_1}
subnet-0dfd2af5a235620b5
1-4.サブネットの作成2
変数設定 (CIDRブロック)
コマンド
CIDR_BLOCK_2="10.255.2.0/24" \
&& echo ${CIDR_BLOCK_2}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ CIDR_BLOCK_2="10.255.2.0/24" \
> && echo ${CIDR_BLOCK_2}
10.255.2.0/24
変数設定 (アベイラビリティゾーン)
コマンド
AZ_2="ap-northeast-1c" \
&& echo ${AZ_2}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ AZ_2="ap-northeast-1c" \
> && echo ${AZ_2}
ap-northeast-1c
変数設定 (サブネット名)
コマンド
SUBNET_NAME_2="subnet2" \
&& echo ${SUBNET_NAME_2}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SUBNET_NAME_2="subnet2" \
> && echo ${SUBNET_NAME_2}
subnet2
サブネットの作成
コマンド
aws ec2 create-subnet \
--vpc-id ${VPC_ID} \
--cidr-block ${CIDR_BLOCK_2} \
--availability-zone ${AZ_2} \
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=${SUBNET_NAME_2}}]"
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 create-subnet \
> --vpc-id ${VPC_ID} \
> --cidr-block ${CIDR_BLOCK_2} \
> --availability-zone ${AZ_2} \
> --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=${SUBNET_NAME_2}}]"
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1c",
"AvailabilityZoneId": "apne1-az1",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.255.2.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0ffc5d0ca200063a3",
"VpcId": "vpc-075b8036a1049e579",
"OwnerId": "999999999999",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "subnet2"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:999999999999:subnet/subnet-0ffc5d0ca200063a3",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
}
}
サブネット IDの取得
コマンド
SUBNET_ID_2=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${VPC_ID} \
Name=tag:Name,Values="${SUBNET_NAME_2}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${SUBNET_ID_2}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SUBNET_ID_2=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${VPC_ID} \
> Name=tag:Name,Values="${SUBNET_NAME_2}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${SUBNET_ID_2}
subnet-0ffc5d0ca200063a3
1-5.サブネットの作成3
変数設定 (CIDRブロック)
コマンド
CIDR_BLOCK_3="10.255.255.0/24" \
&& echo ${CIDR_BLOCK_3}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ CIDR_BLOCK_3="10.255.255.0/24" \
> && echo ${CIDR_BLOCK_3}
10.255.255.0/24
変数設定 (アベイラビリティゾーン)
コマンド
AZ_3="ap-northeast-1a" \
&& echo ${AZ_3}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ AZ_3="ap-northeast-1a" \
> && echo ${AZ_3}
ap-northeast-1a
変数設定 (サブネット名)
コマンド
SUBNET_NAME_3="subnet255" \
&& echo ${SUBNET_NAME_3}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SUBNET_NAME_3="subnet255" \
> && echo ${SUBNET_NAME_3}
subnet255
サブネットの作成
コマンド
aws ec2 create-subnet \
--vpc-id ${VPC_ID} \
--cidr-block ${CIDR_BLOCK_3} \
--availability-zone ${AZ_3} \
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=${SUBNET_NAME_3}}]"
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 create-subnet \
> --vpc-id ${VPC_ID} \
> --cidr-block ${CIDR_BLOCK_3} \
> --availability-zone ${AZ_3} \
> --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=${SUBNET_NAME_3}}]"
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.255.255.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0fb7e5d87165cabde",
"VpcId": "vpc-075b8036a1049e579",
"OwnerId": "999999999999",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "subnet255"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:999999999999:subnet/subnet-0fb7e5d87165cabde",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
}
}
サブネット IDの取得
コマンド
SUBNET_ID_3=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${VPC_ID} \
Name=tag:Name,Values="${SUBNET_NAME_3}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${SUBNET_ID_3}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SUBNET_ID_3=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${VPC_ID} \
> Name=tag:Name,Values="${SUBNET_NAME_3}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${SUBNET_ID_3}
subnet-0fb7e5d87165cabde
1-6.サブネットの作成4
変数設定 (CIDRブロック)
コマンド
CIDR_BLOCK_4="10.255.254.0/24" \
&& echo ${CIDR_BLOCK_4}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ CIDR_BLOCK_4="10.255.254.0/24" \
> && echo ${CIDR_BLOCK_4}
10.255.254.0/24
変数設定 (アベイラビリティゾーン)
コマンド
AZ_4="ap-northeast-1c" \
&& echo ${AZ_4}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ AZ_4="ap-northeast-1c" \
> && echo ${AZ_4}
ap-northeast-1c
変数設定 (サブネット名)
コマンド
SUBNET_NAME_4="subnet254" \
&& echo ${SUBNET_NAME_4}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SUBNET_NAME_4="subnet254" \
> && echo ${SUBNET_NAME_4}
subnet254
サブネットの作成
コマンド
aws ec2 create-subnet \
--vpc-id ${VPC_ID} \
--cidr-block ${CIDR_BLOCK_4} \
--availability-zone ${AZ_4} \
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=${SUBNET_NAME_4}}]"
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 create-subnet \
> --vpc-id ${VPC_ID} \
> --cidr-block ${CIDR_BLOCK_4} \
> --availability-zone ${AZ_4} \
> --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=${SUBNET_NAME_4}}]"
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1c",
"AvailabilityZoneId": "apne1-az1",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.255.254.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0ab031f4f01864376",
"VpcId": "vpc-075b8036a1049e579",
"OwnerId": "999999999999",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "subnet254"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:999999999999:subnet/subnet-0ab031f4f01864376",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
}
}
}
サブネット IDの取得
コマンド
SUBNET_ID_4=$( \
aws ec2 describe-subnets \
--filters Name=vpc-id,Values=${VPC_ID} \
Name=tag:Name,Values="${SUBNET_NAME_4}" \
--query "Subnets[].SubnetId" \
--output text \
) \
&& echo ${SUBNET_ID_4}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SUBNET_ID_4=$( \
> aws ec2 describe-subnets \
> --filters Name=vpc-id,Values=${VPC_ID} \
> Name=tag:Name,Values="${SUBNET_NAME_4}" \
> --query "Subnets[].SubnetId" \
> --output text \
> ) \
> && echo ${SUBNET_ID_4}
subnet-0ab031f4f01864376
1-7.EC2の作成
変数設定 (セキュリティグループ名)
コマンド
SECURITY_GROUP_NAME='cvpn-hands-on-sg' \
&& echo ${SECURITY_GROUP_NAME}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SECURITY_GROUP_NAME='cvpn-hands-on-sg' \
> && echo ${SECURITY_GROUP_NAME}
cvpn-hands-on-sg
変数設定 (セキュリティグループ説明)
コマンド
SECURITY_GROUP_DESC='cvpn-hands-on-sg' \
&& echo ${SECURITY_GROUP_DESC}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SECURITY_GROUP_DESC='cvpn-hands-on-sg' \
> && echo ${SECURITY_GROUP_DESC}
cvpn-hands-on-sg
セキュリティグループ作成
コマンド
aws ec2 create-security-group \
--group-name ${SECURITY_GROUP_NAME} \
--description "${SECURITY_GROUP_DESC}" \
--vpc-id ${VPC_ID}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 create-security-group \
> --group-name ${SECURITY_GROUP_NAME} \
> --description "${SECURITY_GROUP_DESC}" \
> --vpc-id ${VPC_ID}
{
"GroupId": "sg-03d329affb19577f2"
}
セキュリティグループ IDの取得
コマンド
SECURITY_GROUP_ID=$( \
aws ec2 describe-security-groups \
--filters Name=vpc-id,Values=${VPC_ID} \
Name=group-name,Values=${SECURITY_GROUP_NAME} \
--query "SecurityGroups[].GroupId" \
--output text \
) \
&& echo ${SECURITY_GROUP_ID}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SECURITY_GROUP_ID=$( \
> aws ec2 describe-security-groups \
> --filters Name=vpc-id,Values=${VPC_ID} \
> Name=group-name,Values=${SECURITY_GROUP_NAME} \
> --query "SecurityGroups[].GroupId" \
> --output text \
> ) \
> && echo ${SECURITY_GROUP_ID}
sg-03d329affb19577f2
セキュリティグループ ルール追加
コマンド
aws ec2 authorize-security-group-ingress \
--group-id ${SECURITY_GROUP_ID} \
--protocol icmp \
--port -1 \
--cidr ${VPC_CIDR_BLOCK}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 authorize-security-group-ingress \
> --group-id ${SECURITY_GROUP_ID} \
> --protocol icmp \
> --port -1 \
> --cidr ${VPC_CIDR_BLOCK}
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-04bb64891b0aa2d5e",
"GroupId": "sg-03d329affb19577f2",
"GroupOwnerId": "999999999999",
"IsEgress": false,
"IpProtocol": "icmp",
"FromPort": -1,
"ToPort": -1,
"CidrIpv4": "10.255.0.0/16"
}
]
}
変数設定 (セキュリティグループ説明)
コマンド
SECURITY_GROUP_DESC='cvpn-hands-on-sg' \
&& echo ${SECURITY_GROUP_DESC}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SECURITY_GROUP_DESC='cvpn-hands-on-sg' \
> && echo ${SECURITY_GROUP_DESC}
cvpn-hands-on-sg
変数設定 (インスタンス名)
コマンド
INSTANCE_NAME='Server#1' \
&& echo ${INSTANCE_NAME}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ INSTANCE_NAME='Server#1' \
> && echo ${INSTANCE_NAME}
Server#1
変数設定 (インスタンスタイプ)
コマンド
INSTANCE_TYPE='t2.micro' \
&& echo ${INSTANCE_TYPE}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ INSTANCE_TYPE='t2.micro' \
> && echo ${INSTANCE_TYPE}
t2.micro
EC2の作成
コマンド
aws ec2 run-instances \
--image-id \
resolve:ssm:"/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64" \
--instance-type ${INSTANCE_TYPE} \
--subnet-id ${SUBNET_ID_1} \
--security-group-ids ${SECURITY_GROUP_ID} \
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=${INSTANCE_NAME}}]"
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 run-instances \
> --image-id \
> resolve:ssm:"/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64" \
> --instance-type ${INSTANCE_TYPE} \
> --subnet-id ${SUBNET_ID_1} \
> --security-group-ids ${SECURITY_GROUP_ID} \
> --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=${INSTANCE_NAME}}]"
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-02a405b3302affc24",
"InstanceId": "i-09ed69d8960517da1",
"InstanceType": "t2.micro",
"LaunchTime": "2024-05-25T03:11:59+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "ap-northeast-1a",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "ip-10-255-1-108.ap-northeast-1.compute.internal",
"PrivateIpAddress": "10.255.1.108",
"ProductCodes": [],
"PublicDnsName": "",
"State": {
"Code": 0,
"Name": "pending"
},
"StateTransitionReason": "",
"SubnetId": "subnet-0dfd2af5a235620b5",
"VpcId": "vpc-075b8036a1049e579",
"Architecture": "x86_64",
"BlockDeviceMappings": [],
"ClientToken": "383536ed-fda2-45c7-85de-41b1d78ee16b",
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"NetworkInterfaces": [
{
"Attachment": {
"AttachTime": "2024-05-25T03:11:59+00:00",
"AttachmentId": "eni-attach-016c2df8857863d53",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attaching",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupName": "cvpn-hands-on-sg",
"GroupId": "sg-03d329affb19577f2"
}
],
"Ipv6Addresses": [],
"MacAddress": "06:28:ca:fd:f4:e7",
"NetworkInterfaceId": "eni-01d7c341a6f9b52b3",
"OwnerId": "999999999999",
"PrivateIpAddress": "10.255.1.108",
"PrivateIpAddresses": [
{
"Primary": true,
"PrivateIpAddress": "10.255.1.108"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-0dfd2af5a235620b5",
"VpcId": "vpc-075b8036a1049e579",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "cvpn-hands-on-sg",
"GroupId": "sg-03d329affb19577f2"
}
],
"SourceDestCheck": true,
"StateReason": {
"Code": "pending",
"Message": "pending"
},
"Tags": [
{
"Key": "Name",
"Value": "Server#1"
}
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"MetadataOptions": {
"State": "pending",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 2,
"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"InstanceMetadataTags": "disabled"
},
"EnclaveOptions": {
"Enabled": false
},
"BootMode": "uefi-preferred",
"PrivateDnsNameOptions": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
},
"MaintenanceOptions": {
"AutoRecovery": "default"
},
"CurrentInstanceBootMode": "legacy-bios"
}
],
"OwnerId": "999999999999",
"ReservationId": "r-01ee0db8344a69c22"
}
1-8.ログの出力先の準備
変数設定 (ロググループ名)
コマンド
LOG_GROUP_NAME='/aws/clientvpn' \
&& echo ${LOG_GROUP_NAME}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ LOG_GROUP_NAME='/aws/clientvpn' \
> && echo ${LOG_GROUP_NAME}
/aws/clientvpn
ロググループ作成
コマンド
aws logs create-log-group \
--log-group-name ${LOG_GROUP_NAME}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws logs create-log-group \
> --log-group-name ${LOG_GROUP_NAME}
変数設定 (ログストリーム名)
コマンド
LOG_STREAM_NAME='connection-log' \
&& echo ${LOG_STREAM_NAME}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ LOG_STREAM_NAME='connection-log' \
> && echo ${LOG_STREAM_NAME}
connection-log
ログストリーム作成
コマンド
aws logs create-log-stream \
--log-group-name ${LOG_GROUP_NAME} \
--log-stream-name ${LOG_STREAM_NAME}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws logs create-log-stream \
> --log-group-name ${LOG_GROUP_NAME} \
> --log-stream-name ${LOG_STREAM_NAME}
1-9.証明書の作成
コマンド
git clone https://github.com/OpenVPN/easy-rsa.git
出力
[cloudshell-user@ip-10-132-84-39 ~]$ git clone https://github.com/OpenVPN/easy-rsa.git
Cloning into 'easy-rsa'...
remote: Enumerating objects: 6733, done.
remote: Counting objects: 100% (1509/1509), done.
remote: Compressing objects: 100% (645/645), done.
remote: Total 6733 (delta 921), reused 1204 (delta 863), pack-reused 5224
Receiving objects: 100% (6733/6733), 52.29 MiB | 15.61 MiB/s, done.
Resolving deltas: 100% (3170/3170), done.
コマンド
cd easy-rsa/easyrsa3
出力
[cloudshell-user@ip-10-132-84-39 ~]$ cd easy-rsa/easyrsa3
新しい PKI 環境を初期化
コマンド
./easyrsa init-pki
出力
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ ./easyrsa init-pki
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /home/cloudshell-user/easy-rsa/easyrsa3/pki
Using Easy-RSA configuration:
* undefined
新しい認証局 (CA) を構築
コマンド
./easyrsa build-ca nopass
出力
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ ./easyrsa build-ca nopass
......+....+...+......+......+......+...+.....+......+.+..............+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..+.+...+.........+............+...........+....+........+...+...+.......+...+......+.....+.+.....+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
......+......+..+......+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..................+.......+..............+......+...+.+......+......+.........+...+..+......+...+....+......+.....+............+.........+...+...............+...+.......+............+..................+..+.+.....+...+.......+...+.....+.......+.....+....+.......................+...+.......+..+.+..+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
Notice
------
CA creation complete. Your new CA certificate is at:
* /home/cloudshell-user/easy-rsa/easyrsa3/pki/ca.crt
サーバー証明書とキーを生成
コマンド
./easyrsa --san=DNS:server build-server-full server nopass
出力
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ ./easyrsa --san=DNS:server build-server-full server nopass
....+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+..........+..+.......+........+.+.....+..........+...........+.........+.+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+...+...+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
......+.....+......+....+...........+...+.+..+...+......+.+........+..........+...........+...+.......+.....+..........+...+.....+.+..+...+.+...+...+..+......+.......+.....+....+......+..+.......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+......+...+.+........+...+.......+..+.........+......+....+..+.......+..+......+...+.+...+...+..+.......+...+............+.....+.+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/cloudshell-user/easy-rsa/easyrsa3/pki/reqs/server.req
* key: /home/cloudshell-user/easy-rsa/easyrsa3/pki/private/server.key
You are about to sign the following certificate:
Requested CN: 'server'
Requested type: 'server'
Valid for: '825' days
subject=
commonName = server
X509v3 Subject Alternative Name:
DNS:server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/cloudshell-user/easy-rsa/easyrsa3/pki/19bce9dd/temp.4.1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Aug 28 04:39:57 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at:
* /home/cloudshell-user/easy-rsa/easyrsa3/pki/issued/server.crt
Notice
------
Inline file created:
* /home/cloudshell-user/easy-rsa/easyrsa3/pki/inline/server.inline
クライアント証明書とキーを生成
コマンド
./easyrsa build-client-full client1.domain.tld nopass
出力
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ ./easyrsa build-client-full client1.domain.tld nopass
...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+............+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...............+..........+............+..+...+..........+...+...+......+......+...+......+........+.+..+...................+.....+.+.....+..........+..+...+....+.........+..+...+.+...+.....+......+.+.....+.+...+.....+......+.+.....+.......+..+.+........+...............+.......+..............+...+.......+........+.+....................+.+.....+...+.......+...+...+..................+.....+....+......+..+.........+......+..........+...+......+...+...+..............+.+............+...+........+....+..+......+...+....+..+...+...+............+...............+.......+.....+....+............+...+.....+......+.+..+...+.........+.............+..+...+............+....+..+.......+...+..+.+.....+..........+.....+.+......+............+.....+...+....+...+......+..+...+.........+.+..+....+.....................+...+.........+..+.........+...............+.+.....+......+...............+.......+..+.............+..+...+.............+..+...+...+.........+.......+..............+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+........+.......+..+.+...+.....+....+..+.+..+..........+........+.............+.....+....+...+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+..................+.......+............+...+...+..+...............+......+.......+.....+.........+.+...+..+...+....+...+...+......+...........+...+....+.....+.+.....+.+...+..+..........+.....+.+...+.........+..+.+............+...............+..+...+...+...............+...............+....+......+..+......+.......+...............+............+...........+....+............+.....+...+...+..........+...+..+....+..............+......+.........+.+...+..+...+......+....+........+...+.......+..+.+..+....+...+......+..+...+..........+..............+............+....+..+...+.........+...+.......+........+.......+.....+.......+........+.......+........+......+.......+........+.+.....+....+...........+.+.....+...+.+......+...+..+.......+...+..+............+...+...+...............+....+......+...+.....+..........+.....+......+........................+....+......+......+........+.+.....+..........+..+............+.....................+.+......+..+......+.......+..............+......+.......+.....+.......+...+...........+.......+..+......+.+.........+..+.........+.........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/cloudshell-user/easy-rsa/easyrsa3/pki/reqs/client1.domain.tld.req
* key: /home/cloudshell-user/easy-rsa/easyrsa3/pki/private/client1.domain.tld.key
You are about to sign the following certificate:
Requested CN: 'client1.domain.tld'
Requested type: 'client'
Valid for: '825' days
subject=
commonName = client1.domain.tld
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/cloudshell-user/easy-rsa/easyrsa3/pki/5b6d7f0d/temp.3.1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client1.domain.tld'
Certificate is to be certified until Aug 28 04:40:48 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at:
* /home/cloudshell-user/easy-rsa/easyrsa3/pki/issued/client1.domain.tld.crt
Notice
------
Inline file created:
* /home/cloudshell-user/easy-rsa/easyrsa3/pki/inline/client1.domain.tld.inline
サーバー証明書とキー、およびクライアント証明書とキーをカスタムフォルダにコピー
コマンド
mkdir ~/custom_folder/
cp pki/ca.crt ~/custom_folder/
cp pki/issued/server.crt ~/custom_folder/
cp pki/private/server.key ~/custom_folder/
cp pki/issued/client1.domain.tld.crt ~/custom_folder
cp pki/private/client1.domain.tld.key ~/custom_folder/
出力
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ mkdir ~/custom_folder/
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ cp pki/ca.crt ~/custom_folder/
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ cp pki/issued/server.crt ~/custom_folder/
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ cp pki/private/server.key ~/custom_folder/
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ cp pki/issued/client1.domain.tld.crt ~/custom_folder
[cloudshell-user@ip-10-132-84-39 easyrsa3]$ cp pki/private/client1.domain.tld.key ~/custom_folder/
サーバ証明書インポート
コマンド
aws acm import-certificate \
--certificate fileb://~/custom_folder/server.crt \
--private-key fileb://~/custom_folder/server.key \
--certificate-chain fileb://~/custom_folder/ca.crt
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws acm import-certificate \
> --certificate fileb://~/custom_folder/server.crt \
> --private-key fileb://~/custom_folder/server.key \
> --certificate-chain fileb://~/custom_folder/ca.crt
{
"CertificateArn": "arn:aws:acm:ap-northeast-1:999999999999:certificate/0414c54a-da0b-45b5-8652-82ad0dad8e9f"
}
クライアント証明書インポート
コマンド
aws acm import-certificate \
--certificate fileb://~/custom_folder/client1.domain.tld.crt \
--private-key fileb://~/custom_folder/client1.domain.tld.key \
--certificate-chain fileb://~/custom_folder/ca.crt
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws acm import-certificate \
> --certificate fileb://~/custom_folder/client1.domain.tld.crt \
> --private-key fileb://~/custom_folder/client1.domain.tld.key \
> --certificate-chain fileb://~/custom_folder/ca.crt
{
"CertificateArn": "arn:aws:acm:ap-northeast-1:999999999999:certificate/fd3acc8e-0c44-43c6-8969-edde16669a8b"
}
サーバ証明書 ARNの取得
コマンド
SERVER_CERT_ARN=$( \
aws acm list-certificates \
--query "CertificateSummaryList[?DomainName=='server'].CertificateArn" \
--output text
) \
&& echo ${SERVER_CERT_ARN}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ SERVER_CERT_ARN=$( \
> aws acm list-certificates \
> --query "CertificateSummaryList[?DomainName=='server'].CertificateArn" \
> --output text
> ) \
> && echo ${SERVER_CERT_ARN}
arn:aws:acm:ap-northeast-1:999999999999:certificate/0414c54a-da0b-45b5-8652-82ad0dad8e9f
クライアント証明書 ARNの取得
コマンド
CLIDNG_CERT_ARN=$( \
aws acm list-certificates \
--query "CertificateSummaryList[?DomainName=='client1.domain.tld'].CertificateArn" \
--output text
) \
&& echo ${CLIDNG_CERT_ARN}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ CLIDNG_CERT_ARN=$( \
> aws acm list-certificates \
> --query "CertificateSummaryList[?DomainName=='client1.domain.tld'].CertificateArn" \
> --output text
> ) \
> && echo ${CLIDNG_CERT_ARN}
arn:aws:acm:ap-northeast-1:999999999999:certificate/fd3acc8e-0c44-43c6-8969-edde16669a8b
2.パターン1 相互認証 (証明書ベース)
2-1.クライアントVPNエンドポイントの作成
変数設定 (クライアントVPNエンドポイント名)
コマンド
CLIENT_VPN_ENDPOINT_NAME='cvpn-hands-on' \
&& echo ${CLIENT_VPN_ENDPOINT_NAME}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ CLIENT_VPN_ENDPOINT_NAME='cvpn-hands-on' \
> && echo ${CLIENT_VPN_ENDPOINT_NAME}
cvpn-hands-on
変数設定 (クライアント IPv4 CIDR)
コマンド
CLIENT_CIDR_BLOCK='192.168.252.0/22' \
&& echo ${CLIENT_CIDR_BLOCK}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ CLIENT_CIDR_BLOCK='192.168.252.0/22' \
> && echo ${CLIENT_CIDR_BLOCK}
192.168.252.0/22
クライアントVPNエンドポイントの作成
コマンド
aws ec2 create-client-vpn-endpoint \
--client-cidr-block ${CLIENT_CIDR_BLOCK} \
--server-certificate-arn ${SERVER_CERT_ARN} \
--authentication-options "Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=${CLIDNG_CERT_ARN}}" \
--connection-log-options "Enabled=true,CloudwatchLogGroup=${LOG_GROUP_NAME},CloudwatchLogStream=${LOG_STREAM_NAME}" \
--split-tunnel \
--tag-specifications "ResourceType=client-vpn-endpoint,Tags=[{Key=Name,Value=${CLIENT_VPN_ENDPOINT_NAME}}]" \
--vpc-id ${VPC_ID}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 create-client-vpn-endpoint \
> --client-cidr-block ${CLIENT_CIDR_BLOCK} \
> --server-certificate-arn ${SERVER_CERT_ARN} \
> --authentication-options "Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=${CLIDNG_CERT_ARN}}" \
> --connection-log-options "Enabled=true,CloudwatchLogGroup=${LOG_GROUP_NAME},CloudwatchLogStream=${LOG_STREAM_NAME}" \
> --split-tunnel \
> --tag-specifications "ResourceType=client-vpn-endpoint,Tags=[{Key=Name,Value=${CLIENT_VPN_ENDPOINT_NAME}}]" \
> --vpc-id ${VPC_ID}
{
"ClientVpnEndpointId": "cvpn-endpoint-002017eeed7b55b3c",
"Status": {
"Code": "pending-associate"
},
"DnsName": "cvpn-endpoint-002017eeed7b55b3c.prod.clientvpn.ap-northeast-1.amazonaws.com"
}
クライアントVPNエンドポイントIDの取得
コマンド
VPN_ENDPOINT_ID=$( \
aws ec2 describe-client-vpn-endpoints \
--query 'ClientVpnEndpoints[?Tags[?Key==`Name` && Value==`'${CLIENT_VPN_ENDPOINT_NAME}'`]].ClientVpnEndpointId' \
--output text) \
&& echo ${VPN_ENDPOINT_ID}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ VPN_ENDPOINT_ID=$( \
> aws ec2 describe-client-vpn-endpoints \
> --query 'ClientVpnEndpoints[?Tags[?Key==`Name` && Value==`'${CLIENT_VPN_ENDPOINT_NAME}'`]].ClientVpnEndpointId' \
> --output text) \
> && echo ${VPN_ENDPOINT_ID}
cvpn-endpoint-002017eeed7b55b3c
2-2.ターゲットネットワークへのクライアント VPN の関連付けの作成
関連付け1
コマンド
aws ec2 associate-client-vpn-target-network \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--subnet-id ${SUBNET_ID_3}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 associate-client-vpn-target-network \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --subnet-id ${SUBNET_ID_3}
{
"AssociationId": "cvpn-assoc-030b4f07dc2f393e2",
"Status": {
"Code": "associating"
}
}
関連付け2
コマンド
aws ec2 associate-client-vpn-target-network \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--subnet-id ${SUBNET_ID_4}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 associate-client-vpn-target-network \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --subnet-id ${SUBNET_ID_4}
{
"AssociationId": "cvpn-assoc-0bfb0b4a31ea84c08",
"Status": {
"Code": "associating"
}
}
2-3.認証ルールの追加
変数設定 (ターゲット CIDR)
コマンド
TARGET_NETWORK_CIDR=${VPC_CIDR_BLOCK} \
&& echo ${TARGET_NETWORK_CIDR}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ TARGET_NETWORK_CIDR=${VPC_CIDR_BLOCK} \
> && echo ${TARGET_NETWORK_CIDR}
10.255.0.0/16
認証ルールの追加
コマンド
aws ec2 authorize-client-vpn-ingress \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--target-network-cidr ${TARGET_NETWORK_CIDR} \
--authorize-all-groups
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 authorize-client-vpn-ingress \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --target-network-cidr ${TARGET_NETWORK_CIDR} \
> --authorize-all-groups
{
"Status": {
"Code": "authorizing"
}
}
2-4.クライアントVPNエンドポイントのルートテーブルを確認
コマンド
aws ec2 describe-client-vpn-routes \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 describe-client-vpn-routes \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
{
"Routes": [
{
"ClientVpnEndpointId": "cvpn-endpoint-002017eeed7b55b3c",
"DestinationCidr": "10.255.0.0/16",
"TargetSubnet": "subnet-0fb7e5d87165cabde",
"Type": "Nat",
"Origin": "associate",
"Status": {
"Code": "active"
},
"Description": "Default Route"
},
{
"ClientVpnEndpointId": "cvpn-endpoint-002017eeed7b55b3c",
"DestinationCidr": "10.255.0.0/16",
"TargetSubnet": "subnet-0ab031f4f01864376",
"Type": "Nat",
"Origin": "associate",
"Status": {
"Code": "active"
},
"Description": "Default Route"
}
]
}
2-5.詳細確認
コマンド
aws ec2 describe-client-vpn-endpoints \
--client-vpn-endpoint-ids ${VPN_ENDPOINT_ID}
出力
[cloudshell-user@ip-10-132-84-39 ~]$ aws ec2 describe-client-vpn-endpoints \
> --client-vpn-endpoint-ids ${VPN_ENDPOINT_ID}
{
"ClientVpnEndpoints": [
{
"ClientVpnEndpointId": "cvpn-endpoint-002017eeed7b55b3c",
"Description": "",
"Status": {
"Code": "available"
},
"CreationTime": "2024-05-25T15:03:21",
"DnsName": "*.cvpn-endpoint-002017eeed7b55b3c.prod.clientvpn.ap-northeast-1.amazonaws.com",
"ClientCidrBlock": "192.168.252.0/22",
"SplitTunnel": true,
"VpnProtocol": "openvpn",
"TransportProtocol": "udp",
"VpnPort": 443,
"ServerCertificateArn": "arn:aws:acm:ap-northeast-1:999999999999:certificate/0414c54a-da0b-45b5-8652-82ad0dad8e9f",
"AuthenticationOptions": [
{
"Type": "certificate-authentication",
"MutualAuthentication": {
"ClientRootCertificateChain": "arn:aws:acm:ap-northeast-1:999999999999:certificate/fd3acc8e-0c44-43c6-8969-edde16669a8b"
}
}
],
"ConnectionLogOptions": {
"Enabled": true,
"CloudwatchLogGroup": "/aws/clientvpn",
"CloudwatchLogStream": "connection-log"
},
"Tags": [
{
"Key": "Name",
"Value": "cvpn-hands-on"
}
],
"SecurityGroupIds": [
"sg-0fca07156f7128a32"
],
"VpcId": "vpc-075b8036a1049e579",
"SelfServicePortalUrl": "https://self-service.clientvpn.amazonaws.com/endpoints/cvpn-endpoint-002017eeed7b55b3c",
"ClientConnectOptions": {
"Enabled": false,
"Status": {
"Code": "applied"
}
},
"SessionTimeoutHours": 24,
"ClientLoginBannerOptions": {
"Enabled": false
}
}
]
}
2-6.CloudWatchログの確認
コマンド
aws logs get-log-events \
--log-group-name ${LOG_GROUP_NAME} \
--log-stream-name ${LOG_STREAM_NAME} \
--output table
出力
[cloudshell-user@ip-10-130-51-246 ~]$ aws logs get-log-events \
> --log-group-name ${LOG_GROUP_NAME} \
> --log-stream-name ${LOG_STREAM_NAME} \
> --output table
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| GetLogEvents |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| nextBackwardToken | b/38282216340397903000021775373331577705917417511359807488/s |
| nextForwardToken | f/38282658876385622641707419996927488722421563029488533504/s |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|| events ||
|+---------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+|
|| ingestionTime | message | timestamp ||
|+---------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+|
|| 1716633951944| {"connection-log-type": "connection-attempt", "connection-attempt-status": "successful", "connection-attempt-failure-reason": "NA", "connection-id": "cvpn-connection-0940d74c96a03141f", "client-vpn-endpoint-id": "cvpn-endpoint-05e087c93a04a83dc", "transport-protocol": "udp", "connection-start-time": "2024-05-25 10:23:57", "connection-last-update-time": "2024-05-25 10:23:57", "client-ip": "192.168.252.34", "common-name": "client1.domain.tld", "device-type": "win", "device-ip": "***.**.***.**", "port": "5794", "ingress-bytes": "0", "egress-bytes": "0", "ingress-packets": "0", "egress-packets": "0", "connection-end-time": "NA", "connection-duration-seconds": "0"} | 1716633951000 ||
|| 1716634725033| {"connection-log-type": "connection-reset", "connection-attempt-status": "NA", "connection-attempt-failure-reason": "NA", "connection-id": "cvpn-connection-0940d74c96a03141f", "client-vpn-endpoint-id": "cvpn-endpoint-05e087c93a04a83dc", "transport-protocol": "udp", "connection-start-time": "2024-05-25 10:23:57", "connection-last-update-time": "2024-05-25 10:43:14", "client-ip": "192.168.252.34", "common-name": "client1.domain.tld", "device-type": "win", "device-ip": "***.**.***.**", "port": "5794", "ingress-bytes": "51235", "egress-bytes": "47125", "ingress-packets": "1107", "egress-packets": "1102", "connection-end-time": "2024-05-25 10:43:14", "connection-reset-status": "NA", "connection-duration-seconds": "1157"} | 1716634725000 ||
|| 1716636603316| {"connection-log-type": "connection-attempt", "connection-attempt-status": "successful", "connection-attempt-failure-reason": "NA", "connection-id": "cvpn-connection-0c752f03cde4a8ef9", "client-vpn-endpoint-id": "cvpn-endpoint-0d7e0255ba5995aca", "transport-protocol": "udp", "connection-start-time": "2024-05-25 11:07:07", "connection-last-update-time": "2024-05-25 11:07:07", "client-ip": "192.168.253.2", "common-name": "client1.domain.tld", "device-type": "win", "device-ip": "***.**.***.**", "port": "18080", "ingress-bytes": "0", "egress-bytes": "0", "ingress-packets": "0", "egress-packets": "0", "connection-end-time": "NA", "connection-duration-seconds": "0"} | 1716636603000 ||
|| 1716636603316| {"connection-log-type": "connection-reset", "connection-attempt-status": "NA", "connection-attempt-failure-reason": "NA", "connection-id": "cvpn-connection-0c752f03cde4a8ef9", "client-vpn-endpoint-id": "cvpn-endpoint-0d7e0255ba5995aca", "transport-protocol": "udp", "connection-start-time": "2024-05-25 11:07:07", "connection-last-update-time": "2024-05-25 11:08:26", "client-ip": "192.168.253.2", "common-name": "client1.domain.tld", "device-type": "win", "device-ip": "***.**.***.**", "port": "18080", "ingress-bytes": "8505", "egress-bytes": "5852", "ingress-packets": "73", "egress-packets": "71", "connection-end-time": "2024-05-25 11:08:26", "connection-reset-status": "NA", "connection-duration-seconds": "79"} | 1716636603000 ||
|| 1716652007197| {"connection-log-type": "connection-attempt", "connection-attempt-status": "successful", "connection-attempt-failure-reason": "NA", "connection-id": "cvpn-connection-02b0994f0e212951c", "client-vpn-endpoint-id": "cvpn-endpoint-002017eeed7b55b3c", "transport-protocol": "udp", "connection-start-time": "2024-05-25 15:25:07", "connection-last-update-time": "2024-05-25 15:25:07", "client-ip": "192.168.252.130", "common-name": "client1.domain.tld", "device-type": "win", "device-ip": "***.**.***.**", "port": "18088", "ingress-bytes": "0", "egress-bytes": "0", "ingress-packets": "0", "egress-packets": "0", "connection-end-time": "NA", "connection-duration-seconds": "0"} | 1716652007000 ||
|| 1716653795016| {"connection-log-type": "connection-reset", "connection-attempt-status": "NA", "connection-attempt-failure-reason": "NA", "connection-id": "cvpn-connection-02b0994f0e212951c", "client-vpn-endpoint-id": "cvpn-endpoint-002017eeed7b55b3c", "transport-protocol": "udp", "connection-start-time": "2024-05-25 15:25:07", "connection-last-update-time": "2024-05-25 15:58:57", "client-ip": "192.168.252.130", "common-name": "client1.domain.tld", "device-type": "win", "device-ip": "***.**.***.**", "port": "18088", "ingress-bytes": "101929", "egress-bytes": "127904", "ingress-packets": "2052", "egress-packets": "2041", "connection-end-time": "2024-05-25 15:58:57", "connection-reset-status": "NA", "connection-duration-seconds": "2030"} | 1716653795000 ||
|+---------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+|
3.リソースの削除
3-1.クライアントVPN エンドポイントの削除
関連付けIDの取得 1
コマンド
ASSOCIATIONID_1=$( \
aws ec2 describe-client-vpn-target-networks \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--query "ClientVpnTargetNetworks[?TargetNetworkId=='${SUBNET_ID_3}'].AssociationId" \
--output text) \
&& echo ${ASSOCIATIONID_1}
出力
[cloudshell-user@ip-10-132-93-246 ~]$ ASSOCIATIONID_1=$( \
> aws ec2 describe-client-vpn-target-networks \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --query "ClientVpnTargetNetworks[?TargetNetworkId=='${SUBNET_ID_3}'].AssociationId" \
> --output text) \
> && echo ${ASSOCIATIONID_1}
cvpn-assoc-02c5337855d6b83e6
関連付けIDの削除 1
コマンド
aws ec2 disassociate-client-vpn-target-network \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--association-id ${ASSOCIATIONID_1}
出力
[cloudshell-user@ip-10-132-93-246 ~]$ aws ec2 disassociate-client-vpn-target-network \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --association-id ${ASSOCIATIONID_1}
{
"AssociationId": "cvpn-assoc-02c5337855d6b83e6",
"Status": {
"Code": "disassociating"
}
}
関連付けIDの取得 2
コマンド
ASSOCIATIONID_2=$( \
aws ec2 describe-client-vpn-target-networks \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--query "ClientVpnTargetNetworks[?TargetNetworkId=='${SUBNET_ID_4}'].AssociationId" \
--output text) \
&& echo ${ASSOCIATIONID_2}
出力
[cloudshell-user@ip-10-132-93-246 ~]$ ASSOCIATIONID_2=$( \
> aws ec2 describe-client-vpn-target-networks \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --query "ClientVpnTargetNetworks[?TargetNetworkId=='${SUBNET_ID_4}'].AssociationId" \
> --output text) \
> && echo ${ASSOCIATIONID_2}
cvpn-assoc-0b6921d69feb8445e
関連付けIDの削除 2
コマンド
aws ec2 disassociate-client-vpn-target-network \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
--association-id ${ASSOCIATIONID_2}
出力
[cloudshell-user@ip-10-132-93-246 ~]$ aws ec2 disassociate-client-vpn-target-network \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID} \
> --association-id ${ASSOCIATIONID_2}
{
"AssociationId": "cvpn-assoc-0b6921d69feb8445e",
"Status": {
"Code": "disassociating"
}
}
クライアントVPN エンドポイントの削除
コマンド
aws ec2 delete-client-vpn-endpoint \
--client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
出力
[cloudshell-user@ip-10-132-93-246 ~]$ aws ec2 delete-client-vpn-endpoint \
> --client-vpn-endpoint-id ${VPN_ENDPOINT_ID}
{
"Status": {
"Code": "deleting"
}
}
3-2.ACMに登録した証明書の削除
サーバ証明書の削除
コマンド
aws acm delete-certificate \
--certificate-arn ${SERVER_CERT_ARN}
出力
[cloudshell-user@ip-10-130-51-100 ~]$ aws acm delete-certificate \
> --certificate-arn ${SERVER_CERT_ARN}
クライアント証明書の削除
コマンド
aws acm delete-certificate \
--certificate-arn ${CLIDNG_CERT_ARN}
出力
[cloudshell-user@ip-10-130-51-100 ~]$ aws acm delete-certificate \
> --certificate-arn ${CLIDNG_CERT_ARN}
3-3.ログの出力先の削除
コマンド
aws logs delete-log-group \
--log-group-name ${LOG_GROUP_NAME}
出力
[cloudshell-user@ip-10-130-51-246 ~]$ aws logs delete-log-group \
> --log-group-name ${LOG_GROUP_NAME}
3-4.EC2 インスタンスの削除
EC2 インスタンスIDの確認
コマンド
EC2_INSTANCE_ID=$( \
aws ec2 describe-instances \
--filters Name=tag:Name,Values="${INSTANCE_NAME}" \
--query "Reservations[*].Instances[*].[InstanceId]" \
--output text
) \
&& echo ${EC2_INSTANCE_ID}
出力
[cloudshell-user@ip-10-130-51-246 ~]$ EC2_INSTANCE_ID=$( \
> aws ec2 describe-instances \
> --filters Name=tag:Name,Values="${INSTANCE_NAME}" \
> --query "Reservations[*].Instances[*].[InstanceId]" \
> --output text
> ) \
> && echo ${EC2_INSTANCE_ID}
i-09ed69d8960517da1
EC2 インスタンスの削除
コマンド
aws ec2 terminate-instances \
--instance-ids ${EC2_INSTANCE_ID}
出力
[cloudshell-user@ip-10-130-51-246 ~]$ aws ec2 terminate-instances \
> --instance-ids ${EC2_INSTANCE_ID}
{
"TerminatingInstances": [
{
"CurrentState": {
"Code": 48,
"Name": "terminated"
},
"InstanceId": "i-09ed69d8960517da1",
"PreviousState": {
"Code": 80,
"Name": "stopped"
}
}
]
}
EC2セキュリティグループの削除
コマンド
aws ec2 delete-security-group \
--group-id ${SECURITY_GROUP_ID}
出力
[cloudshell-user@ip-10-130-51-246 ~]$ aws ec2 delete-security-group \
> --group-id ${SECURITY_GROUP_ID}
VPCの削除
サブネット削除
コマンド
aws ec2 delete-subnet --subnet-id ${SUBNET_ID_1}
aws ec2 delete-subnet --subnet-id ${SUBNET_ID_2}
aws ec2 delete-subnet --subnet-id ${SUBNET_ID_3}
aws ec2 delete-subnet --subnet-id ${SUBNET_ID_4}
出力
[cloudshell-user@ip-10-130-51-246 ~]$ aws ec2 delete-subnet --subnet-id ${SUBNET_ID_1}
[cloudshell-user@ip-10-130-51-246 ~]$ aws ec2 delete-subnet --subnet-id ${SUBNET_ID_2}
[cloudshell-user@ip-10-130-51-246 ~]$ aws ec2 delete-subnet --subnet-id ${SUBNET_ID_3}
[cloudshell-user@ip-10-130-51-246 ~]$ aws ec2 delete-subnet --subnet-id ${SUBNET_ID_4}
VPC削除
コマンド
aws ec2 delete-vpc --vpc-id ${VPC_ID}
出力
[cloudshell-user@ip-10-130-51-246 ~]$ aws ec2 delete-vpc --vpc-id ${VPC_ID}