Wednesday, May 31, 2023
BeyondCorp Enterprise (BCE) GCP Juara GCP

Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE)

using

“Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE)”

Pengantar

Di lab ini, Anda akan diberi Google Cloud Project dan akun Amazon Web Services. Anda akan memanfaatkan fitur BeyondCorp Enterprise (BCE) untuk mengamankan aplikasi yang berjalan di kedua cloud.

Praktikum

Create GCP Cloud Router

  • Open the GCP console and go to NETWORKING > Hybrid connectivity > Cloud routers > Create router
  • Ikuti konfigurasi berikut
Name: cloud-router
Network: default
Region: us-central1(lowa)
Google ASN value: 65001

Select Advertise all subnets visible to the Cloud Router in order to expose     your subnets to BGP routing and to AWS router.
  • Klik Create

Create GCP Cloud HA VPN gateway

  • Buka NETWORKING > Hybrid connectivity > VPN > Create VPN Connection
  • Select High-availability (HA) VPN then click Continue.
  • Tambahkan konfigurasi berikut
    VPN Gateway Name: ha-vpn

    Network: default

    Region: us-central1(lowa)
  • Click Create & Continue

Create the AWS Customer Gateway

  • Buka VPC > Virtual Private Network (VPN) > Customer Gateways > Create Customer Gateway
Name tag: gcp
BGP ASN: 65001
IP address: Enter the IP address from interface 0 from the "ha-vpn" in the GCP project
  • Click Create customer gateway

Create the AWS Virtual private gateway

  • Buka VPC > Virtual Private Network (VPN) > Virtual Private Gateways > Create Virtual Private Gateway
    Name tag: vpn
    Select Custom ASN and set: 65002
  • Click Create Virtual Private Gateway
  • After the Virtual Private gateway has been created, select the Virtual Private gateway and go to actions and Attach to VPC. Then select the Default VPC.
  • Click Attach to VPC

Create AWS Site-to-site VPN Connection

  • Buka VPC > Virtual Private Network (VPN) > Site-to-site VPN Connections > Create VPN Connection
Name tag: gcp
Target gateway type: Virtual private gateway
Virtual private gateway: {{Select the virtual private gateway you created previously}}
Customer gateway: Existing
Customer gateway ID: {{Select the customer gateway created previously}}
Routing options: Dynamic
  • Leave the default values for the rest of the inputs and click Create VPN connection
  • After the Site-to-site VPN connection is created, select the VPN connection and click on the download configuration.
Vendor: Cisco Systems, Inc.
Platform: ASA 5500 Series
Software: ASA 9.7+ VTI
IKE version: ikev1
  • Click Download

Tunnels Configuration

  • he first Outside IP address will be used to create the peer VPN gateway in GCP
  • When configuring the BGP session we will be using the Inside tunnel subnet values
Calculating Cloud Router IP - GCP link:
Take the Inside tunnel subnet IP address + 2
Calculating BGP Peer IP - AWS link:
Take the Inside tunnel subnet IP address + 1

Create GCP Cloud VPN tunnels

  • Buka NETWORKING > Hybrid connectivity > VPN > Peer VPN Gateways > Create Peer VPN Gateway
Name: aws-vpn
Interfaces: One interface
Interface 0 IP address: Enter the Outside IP address from Tunnel 1 from your AWS site-to-site connections
  • Click Create
  • Navigate to Cloud VPN Tunnels tab, then click Create VPN Tunnel
PN gateway: ha-vpn
Peer VPN gateway: aws-vpn
Cloud Router: cloud-router
Associated peer VPN gateway interface: outside IP of tunnel 1 (and tunnel 2 for when you set up the second VPN tunnel)
Set a Name of your choice.
IKE version: IKEv1
Set IKE pre-shared key to what you copied earlier from the configuration txt file.
  • Click Create and continue
  • When creating the BGP session
Enter a name for your BGP session
Peer ASN: 65002
Allocate BGP IPv4 address: Select Manually
Cloud Router BGP IP: GCP link of tunnel1, which you calculated earlier
BGP Peer IP: AWS link of tunnel1, which you calculated earlier
Click Save & Continue.
Click SAVE BGP CONFIGURATION.

Enable Route Propagation in AWS Route Table

  • Buka VPC > Route tables
  • Select the Route table of the VPC (Default)
  • Click on the Route Propagation tab then click Edit route propagation
  • Click Save

Test the connectivity

Creating instance in AWS

  • click Launch Instance to create the EC2 VM
  • Under Network settings enable the following
Allow HTTPs traffic from the internet
Allow HTTP traffic from the internet
  • Click on the Edit icon in the top right of the Networking Settings sections and add the following custom security group. Click add security group rule
Type: Custom TCP
Port range: 8080
Source type: Custom
Source: 0.0.0.0/0
  • Click Launch instance
  • After the EC2 instance is created, click on View all instances and select the instance you created to view its details. Copy the Public IPv4 DNS.

Connect to your AWS instance

  • After the EC2 instance is created, open Cloud Shell in your Google Cloud Platform project, Upload the key (ec2.pem file) to your local Cloud Shell session running in GCP. You can do this by selecting the three dot menu at the top right of Cloud Shell and selecting Upload. You will be prompted to upload a file or folder in the resulting modal input box. Upload your ec2.pem file then proceed.
  • Run this command to ensure your key is not publicly viewable
chmod 400 ec2.pem
  • In Cloud Shell, connect to your instance using its Public DNS. Remember to replace the Public DNS below with the one you copied previously
ssh -i "ec2.pem" ec2-user@ec2-18-215-177-176.compute-1.amazonaws.com
sudo yum update
sudo yum install nc

Creating instance in GCP

  • In your Google Cloud Project, navigate to Compute Engine > VM instances > CREATE INSTANCE to create a Compute Engine instance with the following configuration
Name: my-gcp-vm
Region: us-central1
Zone: us-central1-a
  • Under Firewall Allow HTTP traffic. Then click Create to create your instance
  • Once your instance is created, click SSH to connect to your instance
  • Run the following command to install netcat. Hit enter if prompted to confirm
sudo apt-get install netcat

Netcat from GCP to AWS

  • In your Cloud Shell session connected to your AWS EC2 instance run the following command to listen on port 8080 using netcat
nc -l -p 8080
  • Run the following command from your GCP VM ssh session to send a message to your AWS instance
echo "Hello from GCP" | nc {replace with IP from AWS} 8080

Run a web server on the EC2 instance (Link)

  • Press CTRL+C to stop listening to port 8080.
sudo yum update -y
sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
sudo yum install -y httpd
sudo systemctl start httpd
{{http://ec2-34-224-68-83.compute-1.amazonaws.com/}}
  • open URL

Create an OAuth Consent Screen

  • Open the GCP Console and go to APIs & Services > OAuth consent screen.
  • Select the user type Internal, then click Create
  • Create an OAuth Consent Screen with the following properties

Create Self-Signed Certificate and OAuth Client

  • Create a private key and certificate
openssl genrsa -out PRIVATE_KEY_FILE 2048
touch ssl_config
[req]
default_bits              = 2048
req_extensions            = extension_requirements
distinguished_name        = dn_requirements
prompt = no
[extension_requirements]
basicConstraints          = CA:FALSE
keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment
[dn_requirements]
countryName               = US
stateOrProvinceName       = CA
localityName              = Mountain View
0.organizationName        = Cloud
organizationalUnitName    = Example
commonName                = Test
openssl req -new -key PRIVATE_KEY_FILE \
 -out CSR_FILE \
 -config ssl_config

Using a Self-Signed Certificate

openssl x509 -req \
 -signkey PRIVATE_KEY_FILE \
 -in CSR_FILE \
 -out CERTIFICATE_FILE.pem \
 -extfile ssl_config \
 -extensions extension_requirements \
 -days 365

Create a self-managed SSL certificate resource

gcloud compute ssl-certificates create my-cert \
 --certificate=CERTIFICATE_FILE.pem \
 --private-key=PRIVATE_KEY_FILE \
 --global

Creating an IAP connector deployment

export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")

gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com --role=roles/owner
gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$PROJECT_NUMBER@cloudservices.gserviceaccount.com --role=roles/owner
  • Go to Security > Identity-Aware Proxy. Enable the API then click Go To Identity-Aware Proxy
  • Click CONNECT NEW APPLICATION > Connect via On-Prem Connector to configure your IAP connector
Click Enable APIs and Continue
Select the User generated certificate
Select certificate you created: my-cert
Select the default network and leave Subnet unselected.
  • on the next page, “On-premises App Details”, configure your app like below
External facing application URL: {{IPV4 Public IPv4 DNS}}
Application name: demo-app
Region: us-central1
On-prem endpoint type: Fully Qualified Domain Name (FQDN)
  • Replace the following with your public IPV4 Public IPv4 DNS
FQDN endpoint: {{IPV4 Public IPv4 DNS}}
Protocol: HTTP
Port: 80
  • Click Done and then Submit
  • After seeing the error warning sign in the status component:
Toggle IAP for the load balancer
Then turn it on

Penutup

Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE). Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.

(Visited 40 times, 1 visits today)
Baca Juga :  Cloud CDN

Similar Posts