问题
I understand that a VPC Amazon instance has the ability to create VPN connections but at a cost of $.05 per hour. Is it possible to create your own VPN on an instance and then route your other instance through this VPN? It seems like it would be more cost efficient? What are the pros/cons?
回答1:
I understand that a VPC Amazon instance has the ability...
To clarify, your virtual environment in Amazon VPC is typically referred to as "a VPC," not "a VPC instance." A "VPC instance" typically refers to an EC2 instance that is provisioned inside a VPC.
A fixed VPN connection can be provisioned from Amazon VPC to a hardware device at your location, and this incurs the $0.05/hour charge (essentially $37.20/mo) you mentioned. This fee is charged for as long as the the connection is provisioned on the AWS side, whether it is properly configured on your side, and working, or not... because what you are paying for is the use of Amazon's hardware to accommodate the VPN.
To me, this seems like a ridiculously good deal, because my VPC VPN connections -- once established -- pretty much "just work," and if the underlying hardware fails, it seems a reasonable assumption that AWS's proactive monitoring will detect that condition and the hardware would be replaced with no real effort required from me.
But, yes, it's entirely possible to provision a VPN with EC2 instances, but to have a similar level of resiliency compared to what you have if you use the native solution, you would need at least 2 EC2 instances, for failover.
This Amazon article explains how to connect two different VPCs to each other via a VPN using EC2 machines -- since this is not something the native solution supports -- but it does not take much imagination at all to understand how you could use exactly the same logic to tie your corporate network into a VPC with a very comparable design to what's shown here.
The only thing, though, is that the $0.05/hour is cheaper than the price of an on-demand "m1.small" instance, at $0.06/hour, so unless you wanted to prepay for more discounts or try to use "micro" instances to connect your networks together, the native solution provided by VPC seems like a no-brainer.
Understand, though, that the native solution (that is, the VPN service offered by AWS as part of VPC) is only for fixed site-to-site (your-site-to-AWS) connections... it has nothing to do with remote users tunneling into your VPC. For ad-hoc on-demand connections that provide individual users with the ability to tunnel into your VPC, you'd need to roll your own solution.
回答2:
It possible just install OpenVPN on your NAT instance, for example have a look on article:
- Amazon AWS VPC Setting up OpenVPN server
Create an Ubuntu instance
This instance will serve as the OpenVPN server. I am using Ubuntu 12.04 LTS
Set up a VPC security group
Before I can create this instance I need to create a new VPC security group for it. From the VPN console open Security Groups and click on Create Security Group Name it openvpn and associate it with your VPC, then click create. Select the Details tab and make not of the group ID, in this case its sg-cd7c94a2 Select the Inbound tab and select the SSH rule and click Add Rule. Select Custom UDP rule set the port range to 1194 for OpenVPN. Click Add Rule. Select Custom TCP rule and enter 943 for the port range click Add Rule. Select Custom TCP rule and enter 946 for the port range and click Add Rule Select HTTPS and click Add Rule Click Apply Rule Changes. Here are the Security rules Select Subnets and copy the ID of the public subnet, in my case its subnet-4c657627
Start the instance
Now start the instance > ec2-run-instances ami-9c78c0f5 -b /dev/sda1=:8:true -k pats-keypair -t t1.micro -s subnet-4c657627 -g sg-cd7c94a2 --private-ip-address 10.0.0.99 --availability-zone us-east-1a
Change Source /Dest Check
From the EC2 console select the newly made instance and right click and select “Change Source / Dest Check” Click Yes, Disable
Give it an elastic IP
From the VPC console select Elastic IPs and click Allocate New Address Make sure its set to VPC and click Yes, Allocate Click on associate Address Select the instance that was just created and click on Yes, Associate
SSH into the new instance
To confirm its up and running SSH into this box > ssh -i .ec2/pats-keypair.pem ubuntu@107.23.79.220
Install OpenVPN
You need to download the OpenVPN software from openvpn.net. This version of the software is free to use for two users, otherwise it costs $5 per user per year, but require a minimum of 10 users so $50 per year, which is not a bad deal. https://openvpn.net/index.php/access-server/pricing.html [2] From the OpenVPN machine run the following commands > wget https://swupdate.openvpn.org/as/openvpn-as-1.8.4-Ubuntu10.amd_64.deb > sudo dpkg –i openvpn-as-1.8.4-Ubuntu10.amd_64.deb After the install is done you will see the admin web interface address displayed The admin needs a password for the openvpn user run the following command to set it. > sudo passwd openvpn I just set mine to adminpass for test purposes.
Configure OpenVPN
Open up OpenVPN admin web page at https:// 107.23.79.220 :943/admin
Of course enter your static IP address for it. You will see something like this, click on proceed anyway The admin login page will now display. Enter the user name openvpn and the password you assigned to that user, then click Sign in Click Agree for the license terms Click on Server Network Settings Enter the Elastic IP address in the hostname field Scroll to the bottom of the page and click Save Settings
Click Update Running Server
Click on VPN settings
Scroll down to the routing section and add all your subnets to this section. I only have 2 subnets 10.0.0.0/24 and 10.0.1.0/24
Scroll down and click Save Settings Click on Update Running Server
Set up Client machine
Open up https:// 107.23.79.220 / in a web browser (change the IP address for your own.
Login as the openvpn user and click go Click on “Click here to continue” This will download software you need to your system to connect to this VPN
Install the software, on a windows machine you can right click on the download and click Open Then click Run This window should pop up, click Yes to create the tunnel. The web site should now report that it is up. To test this out I am going to attempt to ssh into my instances I have the following instances
10.0.0.20
10.0.1.30
10.0.0.25 NAT from aws
10.0.0.99
Test Connection
From my cygwing command line:
ssh -i .ec2/pats-keypair.pem ubuntu@10.0.0.20
来源:https://stackoverflow.com/questions/19960999/how-to-create-your-own-vpn-on-an-instance-and-route-your-other-instance-through