VPN access for Compose Enterprise on AWS

In our previous articles, we've looked at Compose Enterprise and how you can configure systems inside the confines of the AWS VPC (Amazon Web Services Virtual Private Cloud) and subnets and connect to them via SSH to configure application servers. There is one scenario we haven't touched on, and thats connecting your desktop browser to the databases which have web front ends (RethinkDB, RabbitMQ).

That requires a secure connection to be established between the Compose Cluster and the client system and the way we do that is by using a VPN. A VPN manages an encrypted, authenticated channel for traffic from the client routing it into a subnet on the VPC so that it appears that the client is within the VPC.

Enter OpenVPN

There's various VPN applications available, but for simplicity, we're going to talk about the OpenVPN Access Server which has a two user test license which is ideal for testing. There are two ways to setup the OpenVPN Access Server. If you have experience configuring AWS appliances, then the OpenVPN guide covers all the steps to creating an OpenVPN AS.

For the less experienced, the other way is to use the OpenVPN Access Server which is available as an AMI in the AWS Marketplace. You can find the information page there and launch your instance from there. There's less initial questions asked with the 1 Click Launch and more configuration done for you, compared with the manual configuration option.

OpenVPN AS in the marketplace

For whichever method chosen, you'll want to put your new VPN instance into the public subnet of your VPC. You'll be responsible for configuring the security group for the OpenVPN service; by default it'll be created as accessible by all.

The 1-Click-Launch route will get the instance configured and launched, but you'll want to refer to the OpenVPN guide at this point too.

Setting up OpenVPN

The section on "Connecting to your new AMI" covers the OpenVPN specific parts of the configuration process. In brief, you have to SSH in using your VPC key pair as user "openvpnas".

This will run a setup wizard which takes a set of initial setup decisions. You should be able to accept most of the defaults: it will be your primary access server node and you'll only want the admin web UI available to eth0 and on port 943 with the TCP port on 443. You don't want to route all client traffic through the VPN, but you do want DNS traffic to go through so you can address your Compose cluster hosts by name.

You'll probably want to use local authentication, you'll want private subnets to be accessible, and to keep things simple, login as openvpn to the admin UI. You won't have a license yet, so hit return when asked and the system will go and configure itself. At the end of the process, it'll give you URLs for the admin and client UIs. You'll need to set a password for the openvpn user by running sudo passwd openvpn.

Giving access

This should cover most of the configuration, but there's one important part we still need to do. We actually covered it in our previous article; setting the security group for the VPN instance. As it stands, we've configured outside access but no internal access to the various hosts in the cluster. Short version; in the Amazon EC2 instance view, we need to add theComposeEnterpriseAccess group to our OpenVPN instance's security groups. It's covered, step by step, under "Security Groups" in the Plugging into Compose Enterprise Databases article.

Creating a VPN

You will now be able to connect to the URL for the admin UI and log in with the openvpn user and the password you just created. Log in to check everything is working. The next stop will be creating a VPN connection that uses the OpenVPN gateway.

For this, use the client URL you got previously and use your web browser to connect. Set the drop down to "login" and then log in with the "openvpn" user and credentials. It'll then offer you a selection of OpenVPN Connect clients for various platforms and downloadable profiles to use with VPN clients. If you already have OpenVPN compatible software installed you can just download and import a profile into that. If not, you can download one of the clients, set it up and then import the appropriate profile into it. For example, we use Viscosity on Mac OS X at Compose and that just lets us download and import a profile.

Once configured, you can tell the VPN client to connect and it'll ask you for the username and password the profile is for. Once connected, you'll be able to use the connect strings and admin strings for all the Compose databases as if you were inside the VPC and had permission to access the Compose Enterprise cluster hosts.

Next Steps

Your next steps should, at least, be to:

This should get you going providing secure external access to your secured Compose Enterprise cluster. There are, of course, other VPN servers and clients available.