Forem: Tevin Deale

Enhancing AWS VPC Security: Accessing Your Network with a Private Jumpbox using Tailscale

Tevin Deale — Mon, 27 May 2024 00:50:03 +0000

In today's cloud-centric world, ensuring the security of your AWS resources is paramount. I was recently working on a cloud project and wanted a secure way to access the VPC remotely without using EC2 Instance Connect. This is when I came up with the idea to try using Tailscale VPN. I had already been tinkering with Tailscale on my home network and noticed how powerful it was. In this post, I will share how you can enhance your AWS VPC security by setting up a private jumpbox using Tailscale. We'll be using the free plan, which is sufficient for our needs. I suggest visiting Tailscale'swebsite to explore all their features and use cases.

The Solution

Understanding the Basics

For those new to AWS, a Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. A jumpbox, or bastion host, acts as a secure gateway to your VPC, typically accessed via SSH, and it helps in reducing the exposure of your instances. Tailscale is a user-friendly VPN that simplifies secure network connections using WireGuard’s encryption technology. It’s particularly great for creating secure, peer-to-peer networks.

Why Use a Private Jumpbox and Tailscale?

Using a private jumpbox, also known as a bastion host, provides a secure gateway to your AWS VPC. Unlike a public jumpbox, a private jumpbox is not accessible directly from the internet, which significantly reduces the attack surface and enhances the overall security of your network. This setup ensures that only authorized users can access your VPC resources.

Tailscale is a peer-to-peer VPN solution built on WireGuard, which simplifies secure network connections. Tailscale's ease of use, combined with its robust security features, makes it an excellent choice for setting up a private jumpbox. With Tailscale, you can create a secure mesh network that includes your local devices and your AWS resources, allowing seamless and secure access.

One of the key advantages of using Tailscale with a private jumpbox is its cost-effectiveness. Here are some points to consider:

Free Plan: Tailscale offers a free plan that is sufficient for many use cases, especially for small projects or individual developers. This plan includes all the core features needed to set up a secure private jumpbox.
Reduced AWS Costs: By using a private jumpbox, you can minimize the number of publicly accessible instances, which can lower your AWS costs. Public instances often require additional security measures and monitoring, increasing overall expenses.
No Need for Expensive Hardware: Tailscale operates on your existing infrastructure, meaning you don't need to invest in additional hardware or complex network setups.

Setting Up the Environment

Before we begin, ensure that you have a AWS account with necessary permissions, and the remote system set up with the Tailscale VPN.

Create the VPC

Navigate to the VPC dashboard and click Create VPC.
In the VPC Settings box we will use the VPC and More option for simplicity. Match your settings to the following and click Create VPC:
- Name tag auto-generation: TailscaleJumpBox
- IPv4 CIDR block: 10.0.0.0/16
- IPv6 CIDR block(Important): Amazon-provided IPv6 CIDR block
- Tenancy: Default
- Number of Availability Zones: 1
- Number of public subnets: 1
- Number of private subnets: 1
- Nat gateways: None
- VPC endpoints: None
- DNS Options: Both options should be checked.

Example output:

Using the VPC and more option when creating the VPC saves times by auto generating your subnets, route tables, and internet gateway.

Turn on IPv6 Auto-assign

In the VPC Dashboard menu click Subnets.
Enable Auto-assign IPv6

This will auto assign IPv6 addresses to resources deployed into the TailscaleJumpBox-VPC. This is useful because by default AWS IPv6 addresses are publicly available by default unlike IPv4 addresses.

Create Security Group

In the VPC Dashboard menu click Security groups.
Click Create Security Group.

Enter in the following details:
- Security group name: Tailscale-JumpBox-SG
- Description: Allow remote connection from Tailscale
- VPC: tailscalejumpbox-vpc
- Inbound rules: None (default)
- Outbound rules: Leave as default (all traffic) Example Output:

Launch Instance

Navigate to the EC2 Dashboard.
Click Launch Instance.

Enter in the following details:
- Name: Tailscale-JumpBox-USE-1a
- Application and OS Images: Amazon Linux - Amazon Linux 2023
- Instance Type: t2.micro (free tier)
- Key pair: Create new key pair --> RSA --> .PEM --> Download Key
- Network Settings: Click edit to change all options
- VPC: tailscalejumpbox-vpc
- Subnet: tailscalejumpbox-subnet-public1-us-east-1a
- Auto-assign public IP: Disable
- Auto-assign IPv6 IP: Enable
- Security goups: Select existing security group
- Common security groups: Tailscale-JumpBox-SG
- Configure storage: Leave as default
- Advance details: Expand this section and scroll to the bottom to enter User data (Shell Script)
- User data:



#! bin/bash
hostnamectl set-hostname ts-jumpbox-use-1a
yum update -y
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up --auth-key <tskey-auth> --ssh

Shell script breakdown:

#! bin/bash: This shebang line indicates that the script should be run in the bash shell.
hostnamectl set-hostname ts-jumpbox-use-1a: Sets a readable hostname for the instance. (Optional)
yum update -y: Updates all installed packages.
curl -fsSL https://tailscale.com/install.sh | sh: Downloads and installs Tailscale's quick install script.
tailscale up --auth-key <tskey-auth> --ssh: Starts Tailscale and authenticates the instance using the provided auth key, with SSH access enabled.
Launch Instance

Note: Replace <tskey-auth> with your actual Tailscale authentication key. You can generate an auth key from the Tailscale admin console under the Keys section in the settings.

Using the --ssh Flag

By using the --ssh flag in the tailscale up command, you enable Tailscale SSH, which allows you to SSH into the machine using Tailscale’s secure network. After running the script, you will see an SSH tag on the machine in the Tailscale admin console.

Connecting to the JumpBox

To SSH into the server using Tailnet SSH, use the following command:



ssh ec2-user@<tailnet IP address>

You will be prompted to log in with a browser to authorize access to the server.

Alternatively, you can use the -i flag with the RSA key generated when launching the instance:



ssh -i rsa.pem ec2-user@<tailnet IP address>

By following these steps, you can securely connect to your jumpbox and access your AWS VPC using Tailscale, taking advantage of its seamless and secure networking capabilities.

Conclusion

In this blog post, we explored how to enhance the security of your AWS VPC by setting up a private jumpbox using Tailscale. By utilizing a private jumpbox, you significantly reduce the attack surface of your infrastructure, making your network more secure and resilient against unauthorized access.

We walked through a step-by-step process to install and configure Tailscale on your jumpbox, leveraging its powerful yet user-friendly VPN capabilities. By enabling Tailscale SSH, we made accessing your jumpbox and other AWS resources secure and straightforward, providing you with a seamless and cost-effective solution for remote network access.

One of the standout advantages of this setup is its cost-effectiveness. Using Tailscale's free plan and minimizing the number of publicly accessible instances can save costs while still providing robust security features.

By following the steps outlined, you now have a secure method to access your AWS VPC, ensuring your resources are protected without sacrificing convenience. I encourage you to implement this setup in your projects and experience the benefits firsthand.

If you have any questions, comments, or additional tips to share, please leave them below. I’d love to hear about your experiences and any further enhancements you make to this setup.

Call to Action
Try setting up your own private jumpbox with Tailscale today, and ensure your AWS VPC remains secure and accessible. Don’t forget to share your feedback and any custom configurations you come up with!

For more information and to explore additional features, visit Tailscale’s documentation.

Thank you for reading, and happy securing!

Containerize a Java Spring Boot app

Tevin Deale — Tue, 14 May 2024 17:37:24 +0000

I have reached the stage where I need to decide how to deploy my Spring Boot API. I used this opportunity to learn Docker. I started by reading their documentation to grasp the technology and its usage. I reviewed how to build a Dockerfile and all the components needed to build one. I started with an Alpine image. I had seen the name frequently during my previous research. Although I could have started with the openJDK image, the description indicated it was deprecated, so I reverted to using Alpine.

Step 1: Creating the .jar File

The first thing we need to do is run the Maven clean command in the root directory of your Spring Boot application file.

./mvnw clean

This will remove the previous target directory, which contains your class files and the application's .jar file. To regenerate this directory with the current updates, you need to run the Maven install command.

To regenerate this directory with the current updates you need to run the maven install command.

./mvnw install

After running the install command, you should now see the target directory in your file structure.

Step 2: Creating the Dockerfile

Now we can work on our Dockerfile. There are two ways to create a Dockerfile: you can use the Docker init command or create the file manually. I chose to create the file manually as I wanted to learn the manual process before using the Docker init command.

Create a file in the root directory named Dockerfile. Let's review the contents you need to put in the file.

FROM alpine:3.19.1
RUN apk update
RUN apk add openjdk21-jre
EXPOSE 8080
ARG JAR_FILE=target/RocketBank-*.jar
ADD ${JAR_FILE} app.jar
ENTRYPOINT [ "java", "-jar", "app.jar" ]

FROM: This keyword is used to specify the base image, which in our case is "alpine:3.19.1".

RUN: This keyword is used to run some preliminary commands. In our case, we need to update the package manager and then install Java 21 openJDK or whatever version you used to build your app.

EXPOSE: This keyword is used to expose port 8080 on the container.

ARG: This keyword is used to store key-value pairs. I used it to store the file path to the application .jar file. I used a wildcard (*) in the .jar filename to be able to reuse this file when I create a new version.

ADD: This keyword is used to add files from the main directory into the container directory. I am using the ARG variable that was created to retrieve the .jar file and copying it to the container with the name app.jar.

ENTRYPOINT: This is the last command that will be run to start the Spring Boot app in the container.

Step 3: Building and Running the Docker Image

Now we can run the Docker build command.

docker build  -t rocketbankapi:latest .

The -t is the tag command to name your image. The "." at the end specifies that the Dockerfile can be found in the current directory.

The output from the command should look like the following, if the build was successful.

We can verify that the image was built by running the Docker image list command.

docker image ls

We are ready to run the container. You can run the container using the Docker run command.

docker run -p 8080:8080/tcp rocketbankapi:latest .

The "-p 8080:8080/tcp" part port forwards the 8080 port on the container to the 8080 port on the host. The "rocketbankapi:latest" part is the repository name followed by the tag.

Once the Docker run command is ran. The terminal will be outputting the logs for the Spring application. These logs are just output copied from the container since we did not use a "-d" option to run the container in detached mode.

Conclusion: Ready to Launch Your Dockerized Spring Boot App

Congratulations! You've successfully containerized your Spring Boot API using Docker. By following these steps, you've gained valuable insights into Docker's workflow and how it can streamline the deployment process for your applications.

Now that your Docker image is built and ready, you're just a few commands away from launching your application into the cloud. With Docker, scalability and portability are at your fingertips, making it easier than ever to deploy your Spring Boot projects with confidence.

But this is just the beginning of your Docker journey. As you continue to explore this powerful technology, you'll discover even more ways to optimize your development workflow and streamline your deployment process.

So go ahead, run your container, and see your Spring Boot API come to life in its Dockerized environment. And remember, the possibilities are endless when you combine the power of Spring Boot with the flexibility of Docker. Happy coding!

Becoming a Cloud Developer: 5-13-24

Tevin Deale — Tue, 14 May 2024 03:29:04 +0000

Hello, my name is Tevin and I am a aspiring cloud developer. this post is latent as I have been studying software development since August 2023. I started with Python taking the Meta Back-End Professional Certification course on Coursera. I then purchased a year subscription to Codecademy where I started the full-stack developer course. I made it through the front-end part of the course. I completed a couple React projects from Frontend Mentor. By December I took on a small project from scratch and built a hangman web app. After this I took a break due to burn out and second guessing if I wanted to move forward with software development, (all the layoffs started to scare me).

By the end of January I was ready to get back on track. I chose to learn AWS after some research. I took a couple courses on AWS learning platform, and then moved to take the Solutions Architect course on a cloud guru. While taking the course I also read a book named "Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali". I am not a reader nor do I enjoy it. I enjoyed that book so that says something. By the end of Jan I had finished the Solutions Architect course from a cloud guru, and I started to take practice exams and started the Cloud Resume Project.

I finished the Resume challenge around the end of Feb. I started back studying for the Solutions Architect exam when I got a call from a recruiter for role to create export PDF templates for their app. I noticed that Java was a nice to have skill, and it has been a while since I was exposed to Java. For the next three weeks I focused on landing that role. Studying Java and completing the coding exercise. I made it to the final round and was unfortunately not selected for the role. I was devastated, because I did not know what I could have done differently to be a better candidate, but that did not stop me. I went back on the grind studying for the Solutions Architect exam. On April 7th I took the exam and passed it.

After passing the exam I needed to decide on what to do next. I started to browse for jobs but could not find any associate or junior roles where I could get my start. I did some research and found I needed to complete some projects and probably get another certification to stand out from the crowd. I chose to continue learning Java, start studying for the AWS Networking Specialty, Comptia SEC+, and LPIC 1. I feel these certifications will help push me in the right direction.

While also studying for these certifications I will be finishing up a project I started called Rocket Bank. I will explain this project in another post due to it's complexity. I started creating this application to use for deploying complex web apps to AWS for practice.

If you made it this far, THANK YOU for reading my whole post. If you have any pointers of resources for me on my journey please share them.