Cloudfront origin failover

fhorisberger — Sat, 16 Apr 2022 19:13:05 +0000

This new article, we are speaking about CloudFront origin failover, it allows us to create a high avaliavility solutions when primary origin is unavailable.

Basic view:

If you don't have new cloudfront distribution please visit this site:Amazon Web Site for creating a new distribution

Then we should create an origin groups, it will be used for rerouting our request in the case that primary origin will have a failure.

An item important is CloudFront fails over to the secondary origin only when the HTTP method of the viewer request is GET, HEAD, or OPTIONS.

Creating an origin group:

1- Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v3/home

2- Choose the Origins tab.

3- Make sure the distribution has more than one origin. If it doesn’t, add a second origin.

4- On the Origins tab, in the Origin groups pane, choose Create origin group.

5- Choose the origins for the origin group. After you add origins, use the arrows to set the priority—that is, which origin is primary and which is secondary.

6- Enter a name for the origin group.

7- Choose the HTTP status codes to use as failover criteria. You can choose any combination of the following status codes: 400, 403, 404, 416, 500, 502, 503, or 504. When CloudFront receives a response with one of the status codes that you specify, it fails over to the secondary origin.

8- Create Origin Group

About origin timeouts and attempts:

By default, CF tries to connect to the primary origin for as long as 30 seconds (3 connection attempts of 10 seconds each) before moving to secondary origin. These values can be changed to timeouts between 1 and 10 seconds, attempts between 1 and 3 times

AWS Client VPN

fhorisberger — Wed, 16 Mar 2022 11:46:18 +0000

I wrote this article for explain as connect client vpn to our aws resources using a managed client-based vpn based on OpenVPN.

Details before you start to work:

A vpn subnet in our vpc must be create. ( or more for High Availability)
Choose a CIDR for Client vpn. It can't overlap with the our vpc.
Client CIDR ranges must have a block size between /22 and /12. It can't changed after was created.
You can't associate multiple subnets from the same Availability Zone with a Client VPN endpoint
Optional: Aws cli installed in your workstations ( upload certificates to ACM)

Let's go..

In this scenario we have created the followings components:
VPC (192.168.0.0/16): Private (192.168.0.0/24) and vpn (192.168.254.0/24) subnet.

One EC2 on private subnet for testing ssh access via vpn.

Two segurity-group: Inside-target-sg assigned to EC2 and VpnTarget-sg will be assigned to VPN Target Subnet on client vpn endpoint.

The followings Authentication methods are supported:

Active Directory (User-based)
Mutual Authentication (certificated-based)
Single Sign-on ( SAML-based federation authentication)(user-based)

In this case we use Mutual Authentication (certificated-based).

we will create server and client certificates using OpenVPN easy-rsa:

Clone The OpenVPN easy-rsa

git clone https://github.com/OpenVPN/easy-rsa.git

cd easy-rsa/easyrsa3

Initialize a new PKI enviroment

./easyrsa init-pki

To build a new certificate authority (CA)

./easyrsa build-ca nopass

Generate The server certificate and key

./easyrsa build-server-full server nopass

Generate the client certificate and key

./easyrsa build-client-full clientvpn nopass

Copy files to other folders

cp -rp pki/{ca.crt,issued/clientvpn.crt,private/clientvpn.key} /tmp/
cp -rp pki/{issued/server.crt,private/server.key} /tmp/

Upload certicifates and keys to ACM

aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt

aws acm import-certificate --certificate fileb://clientvpn.crt --private-key fileb://clientvpn.key --certificate-chain fileb://ca.crt

Create AWS Client VPN EndPoint

you can search this section in VPC --> Virtual Private Network(VPN) --> Client Vpn Endpoints

Name vpn endpoint: "client-vpn-endpoint"
Client Ipv4 CIDR: 172.16.0.0/20
Server Certificate ARN: server.
Choose: Use mutual Authentication
Client Certificate ARN: clientvpn

Transport Protocol: TCP
Choose VPC ID: in this case 192.168.0.0/16
Segurity Group id: (Vpntarget-sg)

VPN Port: TCP 1194. You can choose 443, too.

Associate target subnet & Authorize Traffic

In this section, we select the client vpn endpoint created earlier for adding an authorization rule.

Associate Subnet Target Network (192.168.254.0/24)

Rules to grant clients access to the networks. In this case we choose 192.168.0.0/16 that is our vpc but we would choose 0.0.0./0 for sending traffic to internet.

Last step: Download and update VPN configuration file

if you need OpenVPN client. It can be download in:

https://openvpn.net/community-downloads

Select Client VPN Endpoint and "Download Client configuration" to your local workstation.
Download or copy the client certificate ( clienvpn.crt, clientvpn.key)
Open this configuration File and add following lines:
- cert /path/clientvpn.crt
- key /path/clientvpn.key
Import file from OpenVpn Client
Connect and Enjoy :D

Monitoring Client Connection

We can monitor all our client connections from the console for a quick real-time view of our client connections.

Conclusion

This vpn connection is a way easy, secure and fast for connecting us to our resources on AWS or on-premise DataCenter.

Forem: fhorisberger

Cloudfront origin failover

AWS Client VPN