Accessing the Network

Lastly, configure the VPN. The VPN will be provisioned in the network account and will leverage Transit Gateway to connect various VPCs to the VPN client. VPN deployment consists of three parts: authentication, component deployment, and client setup.

1 Set up authentication

First, set up authentication.

• We recommend using AWS IAM Identity Center to authenticate users.
• Follow only the first section included in the linked AWS blog, Create and configure the Client VPN SAML applications in AWS IAM Identity Center, through downloading the AWS IAM Identity Center SAML metadata.
• Save that file under the ec2-client-vpn component (components/terraform/ec2-client-vpn) as "aws-sso-saml-app.xml". This should match the given document name for saml_metadata_document in the ec2-client-vpn stack catalog (stacks/catalog/ec2-client-vpn.yaml)

2 Deploy the VPN

Next, deploy the ec2-client-vpn component. This is done by running the following:

Commands

These are the commands included in the deploy/vpn workflow in the examples/snippets/stacks/workflows/network.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow deploy/vpn -f network 

Depending on the given network configuration, you may run out of available Client VPN routes.

That error will look something like this:

╷
│ Error: error creating EC2 Client VPN Route (cvpn-endpoint-0b7487fc0043a3df0,subnet-0b88f999578fd2340,10.101.96.0/19): ClientVpnRouteLimitExceeded: Limit exceeded
│       status code: 400, request id: 779f977b-2b31-490a-a4b1-2c8cb1da068d
│
│   with module.ec2_client_vpn.aws_ec2_client_vpn_route.default[40],
│   on .terraform/modules/ec2_client_vpn/main.tf line 245, in resource "aws_ec2_client_vpn_route" "default":
│  245: resource "aws_ec2_client_vpn_route" "default" {
│

If this happens, you'll need to increase the number of routes allowed for the Client VPN endpoint. That said, you should already have a quota increase request ready for this in stacks/orgs/acme/core/network/global-region/baseline.yaml. You can apply that quota using atmos terraform apply account-quotas -s core-gbl-network.

3 Download & Install VPN Client

• Finally, set up the AWS VPN Client to access the VPN.
• Download the AWS VPN Client and or install it by running brew install aws-client-vpn in a regular terminal. Follow the AWS Documentation to complete the VPN setup.

4 Configure VPN Client

The Atmos Workflow deploy/vpn creates a local VPN configuration as acme-core.ovpn (rootfs/etc/aws-config/acme-core.ovpn) located in the aws-config dir of rootfs/.

If it doesn't exist, create this file using the client_configuration output of the ec2-client-vpn component, and commit it to the repo under rootfs/etc/aws-config/acme-core.ovpn for future reference.

atmos terraform output ec2-client-vpn -s core-use1-network

5 Connect to VPN

Once you configure the AWS VPN Client, set the file as the config and connect. From there you should be able to access resources on any subnet in the VPCs you've provisioned.

Optional: Bastion hosts

If you'd like to set up bastion hosts, you can do so by running the following. This would let you further evaluate the VPN.

Commands

These are the commands included in the deploy/bastion workflow in the examples/snippets/stacks/workflows/network.yaml file:

No commands found

Too many commands? Consider using the Atmos workflow! 🚀

Atmos Workflow

Run the following from your Geodesic shell using the Atmos workflow:

atmos workflow deploy/bastion -f network 

By default, we deploy the bastion to all accounts connected to Transit Gateway.