들어가기 전에..
앞서 AWS Client VPN 게시글에서 AWS OpenVPN 관리형서비스 구축방법을 설명드렸습니다.
이번에는 세부 제어가 가능한 OpenVPN Access Server에 대해서 설명드리겠습니다.
우선 대략적인 비용을 살펴보면 아래와 같습니다.
| AWS Client VPN(관리형) | 월비용 | OpenVPN Access Server | 월비용 | ||
| 엔드포인트 시간($0.1) :1개 | $73.00 | EC2 요금(t3.small) | $18.98 | ||
| 연결 시간($0.05) : 900시간 | $45.00 | 라이선스 5명 | $51.10 | ||
| 연결 시간($0.05) : 1800시간 | $90.00 | 라이선스 10명 | $73.00 | ||
결론. OpenVPN Access Server 승
| AWS Client VPN(관리형) | 월비용 | Openvpn Access Server | 월비용 | 비용 차이 | ||
| 기본 비용 + 연결시간 만큼 비용 지불 ( 20일 9시간 사용기준 ) | 5명 | $118.00 | 사용여부와 상관없이 지불 ( t3.small 서버 기준 ) | 5명 | $70.08 | $47.92 |
| 10명 | $163.00 | 10명 | $91.98 | $71.02 | ||
[ OpenVPN Access Server 특징]
1. WEB UI 제공
– UI를 통한 손쉬운 사용자 추가/삭제
– 사용자별 암호관리(사용자가 직접 암호변경 가능)
– 사용자별 서버 접근제어 가능
– 그룹을 지정하여 서버 접근제어 가능
– 로그 조회 및 내역 다운로드(CSV)
– 사용자 페이지에서 Client 프로그램 및 접속key 다운로드 가능
2. 비용절감
– 기존 ClientVPN 대비 최소 월 $48 절감 효과
3. 단점
– 라이선스 체계가 동시접속 기준으로 발급
– 서버관리 필요
– 이중화(Cluster) 구성하려면 추가 비용 발생
1. 목표 구성도
1.1 기본 VPC 삭제
1.2 키페어 생성
1.4 자원 생성
가. VPC :
– DEV-VPC: 10.10.0.0/16
나. 서브넷 :
– DEV-Public-Subnet-AZ1 : 10.10.1.0/24
– DEV-Public-Subnet-AZ3 : 10.10.3.0/24
– DEV-Private-Subnet-AZ1 : 10.10.11.0/24
– DEV-Private-Subnet-AZ3 : 10.10.13.0/24
– DEV-DB-Subnet-AZ1 : 10.10.21.0/24
– DEV-DB-Subnet-AZ3 : 10.10.23.0/24
다. 인터넷 GW
– DEV-IGW
라. 라우팅테이블 :
– DEV-Public-Routes
– DEV-Private-Routes
– DEV-DB-Routes
마. 보안그룹 :
– DEV-Public-Security-Group : Port 22, 80, 443, 943, 1194(udp)
– DEV-Private-Security-Group : Port 22, 1194(udp)
– DEV-DB-Security-Group : Port 3306
## =================== VERSION ===================
AWSTemplateFormatVersion: “2010-09-09”
## =================== DESCRIPTION ===================
Description: >–
AWS CloudFormation sample template
Create an IAM User and optionally attach it to IAM group(s)
AWS doc: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html
## =================== PARAMETERS ===================
Parameters:
1Stage:
Description: DEV, STG, PRD
Type: String
Default: “DEV”
AllowedPattern: “[a-zA-Z0-9]*”
ConstraintDescription: “DEV, STG, PRD”
2VpcCIDR:
Description: Please enter the IP range (CIDR notation) for this VPC
Type: String
Default: 10.10.0.0/16
3PublicSubnet1CIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
Type: String
Default: 10.10.1.0/24
3PublicSubnet3CIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the second Availability Zone
Type: String
Default: 10.10.3.0/24
4PrivateSubnet1CIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
Type: String
Default: 10.10.11.0/24
4PrivateSubnet3CIDR:
Description: Please enter the IP range (CIDR notation) for the private subnet in the second Availability Zone
Type: String
Default: 10.10.13.0/24
5DBSubnet1CIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
Type: String
Default: 10.10.21.0/24
5DBSubnet3CIDR:
Description: Please enter the IP range (CIDR notation) for the private subnet in the second Availability Zone
Type: String
Default: 10.10.23.0/24
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. Linked to AWS Parameter
Type: AWS::EC2::KeyPair::KeyName
Default: DEV-KeyPair # PRD
ConstraintDescription: must be the name of an existing EC2 KeyPair.
## =================== RESOURCES ===================
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref 2VpcCIDR
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
– Key: Name
Value: !Sub “${1Stage}-VPC”
– Key: 1Stage
Value: !Ref 1Stage
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
– Key: Name
Value: !Sub “${1Stage}-IGW”
– Key: 1Stage
Value: !Ref 1Stage
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: ap-northeast-2a
CidrBlock: !Ref 3PublicSubnet1CIDR
MapPublicIpOnLaunch: true
Tags:
– Key: Name
Value: !Sub “${1Stage}-Public-Subnet-AZ1”
– Key: 1Stage
Value: !Ref 1Stage
PublicSubnet3:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: ap-northeast-2c
CidrBlock: !Ref 3PublicSubnet3CIDR
MapPublicIpOnLaunch: true
Tags:
– Key: Name
Value: !Sub “${1Stage}-Public-Subnet-AZ3”
– Key: 1Stage
Value: !Ref 1Stage
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: ap-northeast-2a
CidrBlock: !Ref 4PrivateSubnet1CIDR
MapPublicIpOnLaunch: false
Tags:
– Key: Name
Value: !Sub “${1Stage}-Private-Subnet-AZ1”
– Key: 1Stage
Value: !Ref 1Stage
PrivateSubnet3:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: ap-northeast-2c
CidrBlock: !Ref 4PrivateSubnet3CIDR
MapPublicIpOnLaunch: false
Tags:
– Key: Name
Value: !Sub “${1Stage}-Private-Subnet-AZ3”
– Key: 1Stage
Value: !Ref 1Stage
DBSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: ap-northeast-2a
CidrBlock: !Ref 5DBSubnet1CIDR
MapPublicIpOnLaunch: true
Tags:
– Key: Name
Value: !Sub “${1Stage}-DB-Subnet-AZ1”
– Key: 1Stage
Value: !Ref 1Stage
DBSubnet3:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: ap-northeast-2c
CidrBlock: !Ref 5DBSubnet3CIDR
MapPublicIpOnLaunch: true
Tags:
– Key: Name
Value: !Sub “${1Stage}-DB-Subnet-AZ3”
– Key: 1Stage
Value: !Ref 1Stage
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
– Key: Name
Value: !Sub “${1Stage}-Public-Routes”
– Key: 1Stage
Value: !Ref 1Stage
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
– Key: Name
Value: !Sub “${1Stage}-Private-Routes”
– Key: 1Stage
Value: !Ref 1Stage
DBRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
– Key: Name
Value: !Sub “${1Stage}-DB-Routes”
– Key: 1Stage
Value: !Ref 1Stage
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
DefaultDBRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref DBRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1
PublicSubnet3RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet3
PrivateSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnet1
PrivateSubnet3RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnet3
DBSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref DBRouteTable
SubnetId: !Ref DBSubnet1
DBSubnet3RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref DBRouteTable
SubnetId: !Ref DBSubnet3
PublicSecurityGroup:
Type: ‘AWS::EC2::SecurityGroup’
Properties:
GroupName: !Sub “${1Stage}-Public-Security-Group”
GroupDescription: Enable SSH
VpcId: !Ref VPC
SecurityGroupIngress:
– IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: SSH Service
– IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Description: HTTP Service
– IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Description: HTTPS Service
– IpProtocol: tcp
FromPort: 943
ToPort: 943
CidrIp: 0.0.0.0/0
Description: OpenVPN-Admin Web UI
– IpProtocol: udp
FromPort: 1194
ToPort: 1194
CidrIp: 0.0.0.0/0
Description: OpenVPN-Client Connect
Tags:
– Key: Name
Value: !Sub “${1Stage}-Public-Security-Group”
– Key: 1Stage
Value: !Ref 1Stage
PrivateSecurityGroup:
Type: ‘AWS::EC2::SecurityGroup’
Properties:
GroupName: !Sub “${1Stage}-Private-Security-Group”
GroupDescription: Enable SSH
VpcId: !Ref VPC
SecurityGroupIngress:
– IpProtocol: tcp
FromPort: ’22’
ToPort: ’22’
CidrIp: 0.0.0.0/0
Description: SSH Service
Tags:
– Key: Name
Value: !Sub “${1Stage}-Private-Security-Group”
– Key: 1Stage
Value: !Ref 1Stage
DBSecurityGroup:
Type: ‘AWS::EC2::SecurityGroup’
Properties:
GroupName: !Sub “${1Stage}-DB-Security-Group”
GroupDescription: Enable Mysql
VpcId: !Ref VPC
SecurityGroupIngress:
– IpProtocol: tcp
FromPort: ‘3306’
ToPort: ‘3306’
CidrIp: 0.0.0.0/0
Tags:
– Key: Name
Value: !Sub “${1Stage}-DB-Security-Group”
– Key: 1Stage
Value: !Ref 1Stage
## =================== Outputs ===================
Outputs:
VPC:
Description: A reference to the created VPC
Value: !Ref VPC
PublicSubnets:
Description: A list of the public subnets
Value: !Join [ “,”, [ !Ref PublicSubnet1, !Ref PublicSubnet3 ]]
PrivateSubnets:
Description: A list of the private subnets
Value: !Join [ “,”, [ !Ref PrivateSubnet1, !Ref PrivateSubnet3 ]]
DBSubnets:
Description: A list of the DB subnets
Value: !Join [ “,”, [ !Ref DBSubnet1, !Ref DBSubnet3 ]]
PublicSubnet1:
Description: A reference to the public subnet in the 1st Availability Zone
Value: !Ref PublicSubnet1
PublicSubnet3:
Description: A reference to the public subnet in the 3st Availability Zone
Value: !Ref PublicSubnet3
PrivateSubnet1:
Description: A reference to the public subnet in the 1st Availability Zone
Value: !Ref PrivateSubnet1
PrivateSubnet3:
Description: A reference to the public subnet in the 3st Availability Zone
Value: !Ref PrivateSubnet3
PublicSecurityGroup:
Description: Security group with no ingress rule
Value: !Ref PublicSecurityGroup
PrivateSecurityGroup:
Description: Security group with no ingress rule
Value: !Ref PrivateSecurityGroup
위에 자원생성 코드를 텍스트 파일 형태로 저장하고, 이파일을 업로드 합니다.
나머지는 기본값으로 둔채로 “다음” 최종 내역 확인 후 스택을 생성합니다.
아래와 같이 정상 생성 되어야 합니다.