Sprint 2 - drewwbikk/capstone GitHub Wiki

Deliverable Statement

Sprint 2's objective is to start building the cloud-based part of the environment on AWS. It will include setting up an AWS account, creating the virtual network, deploying the instances needed, and then creating the site-to-site VPN. This will be the setup for the final two sprints, integrating and installing ADDS, and adding a file services in the cloud.

Objectives

  • Setup AWS Account
  • Create Virtual Private Cloud (VPC), Internet Gateway (IGW), Subnets, and Route Tables
  • Deploy EC2 Instances
  • Create a Site-to-Site VPN for network communications.

Discrete Tasks

Link to Implementation Project Board

Link to Project Board for Sprint 2

  • Setup AWS Account
  • Create and configure VPC
  • Create IGW
  • Create and configure subnets
  • Create and configure route tables
  • Deploy EC2 instances for the following:
    • Windows Server (ADDS, DNS, and DHCP)
    • Basic CentOS7 (Web server)
  • Create and configure site-to-site VPN

Documentation

Sprint 2 Documentation

Outcomes

Almost all initial goals of the Sprint were met. I setup a normal AWS account, created the VPC, subnet, IGW, and route table necessary. I also deployed the instances I originally thought I needed (ad and web). The site-to-site VPN was successfully created, even though it was not done using AWS's built in site-to-site VPN tools. Instead, OpenVPN Access was used, with a linux machine on each end: one acting as the server, and one acting as the client. This created a VPN bridge and connected the two networks through a tertiary private subnet.

Reflection

This sprint did not go as planned. The VPC and instance setup wasn't too difficult, but figuring out how to make a site-to-site VPN work was intense. Part of the problem is that my on-premise network is sitting behind Champlain's and cyber.local's network. I don't have a true static WAN connection going out of the pfSense router. Therefore, my intended method of using AWS's services didn't work. AWS was trying to connect to a public IP going out of Champlain, so the connection could never be established. This is one of the most important parts of this whole capstone project for me: the actual connection between two networks, specifically one in a public cloud. I was worried I wouldn't be able to establish a connection between both. In a project last year, my partner and I used OpenVPN to create a more simple VPN connection for me to access his home server while working on the project. So, I wondered if I could use OpenVPN to create a site-to-site VPN with a client (on-premise) that could initiate the connection to an elastic IP in AWS. It wasn't working. I could only reach AWS from on-premise. AWS could not reach on-prem. I thought it was the same issue as when I tried using AWS's site-to-site VPN, and I thought all hope was lost. However, after combing through some old labs I did from SYS-360 (Cloud Admin and Deployment), I saw how we created a NAT instance. There was a configuration in the network settings of the instance that was imperative for NAT to work. Once I found that and enabled it, after a little more tweaking of the settings, I was finally able to get a fully-functional site-to-site connection between the networks.