Site icon Learning & Doing

Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE)

using

“Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE)”

Pengantar

Di lab ini, Anda akan diberi Google Cloud Project dan akun Amazon Web Services. Anda akan memanfaatkan fitur BeyondCorp Enterprise (BCE) untuk mengamankan aplikasi yang berjalan di kedua cloud.

Praktikum

Create GCP Cloud Router

Name: cloud-router
Network: default
Region: us-central1(lowa)
Google ASN value: 65001

Select Advertise all subnets visible to the Cloud Router in order to expose     your subnets to BGP routing and to AWS router.

Create GCP Cloud HA VPN gateway

    VPN Gateway Name: ha-vpn

    Network: default

    Region: us-central1(lowa)

Create the AWS Customer Gateway

Name tag: gcp
BGP ASN: 65001
IP address: Enter the IP address from interface 0 from the "ha-vpn" in the GCP project

Create the AWS Virtual private gateway

    Name tag: vpn
    Select Custom ASN and set: 65002

Create AWS Site-to-site VPN Connection

Name tag: gcp
Target gateway type: Virtual private gateway
Virtual private gateway: {{Select the virtual private gateway you created previously}}
Customer gateway: Existing
Customer gateway ID: {{Select the customer gateway created previously}}
Routing options: Dynamic
Vendor: Cisco Systems, Inc.
Platform: ASA 5500 Series
Software: ASA 9.7+ VTI
IKE version: ikev1

Tunnels Configuration

Calculating Cloud Router IP - GCP link:
Take the Inside tunnel subnet IP address + 2
Calculating BGP Peer IP - AWS link:
Take the Inside tunnel subnet IP address + 1

Create GCP Cloud VPN tunnels

Name: aws-vpn
Interfaces: One interface
Interface 0 IP address: Enter the Outside IP address from Tunnel 1 from your AWS site-to-site connections
PN gateway: ha-vpn
Peer VPN gateway: aws-vpn
Cloud Router: cloud-router
Associated peer VPN gateway interface: outside IP of tunnel 1 (and tunnel 2 for when you set up the second VPN tunnel)
Set a Name of your choice.
IKE version: IKEv1
Set IKE pre-shared key to what you copied earlier from the configuration txt file.
Enter a name for your BGP session
Peer ASN: 65002
Allocate BGP IPv4 address: Select Manually
Cloud Router BGP IP: GCP link of tunnel1, which you calculated earlier
BGP Peer IP: AWS link of tunnel1, which you calculated earlier
Click Save & Continue.
Click SAVE BGP CONFIGURATION.

Enable Route Propagation in AWS Route Table

Test the connectivity

Creating instance in AWS

Allow HTTPs traffic from the internet
Allow HTTP traffic from the internet
Type: Custom TCP
Port range: 8080
Source type: Custom
Source: 0.0.0.0/0

Connect to your AWS instance

chmod 400 ec2.pem
ssh -i "ec2.pem" ec2-user@ec2-18-215-177-176.compute-1.amazonaws.com
sudo yum update
sudo yum install nc

Creating instance in GCP

Name: my-gcp-vm
Region: us-central1
Zone: us-central1-a
sudo apt-get install netcat

Netcat from GCP to AWS

nc -l -p 8080
echo "Hello from GCP" | nc {replace with IP from AWS} 8080

Run a web server on the EC2 instance (Link)

sudo yum update -y
sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
sudo yum install -y httpd
sudo systemctl start httpd
{{http://ec2-34-224-68-83.compute-1.amazonaws.com/}}

Create an OAuth Consent Screen

Create Self-Signed Certificate and OAuth Client

openssl genrsa -out PRIVATE_KEY_FILE 2048
touch ssl_config
[req]
default_bits              = 2048
req_extensions            = extension_requirements
distinguished_name        = dn_requirements
prompt = no
[extension_requirements]
basicConstraints          = CA:FALSE
keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment
[dn_requirements]
countryName               = US
stateOrProvinceName       = CA
localityName              = Mountain View
0.organizationName        = Cloud
organizationalUnitName    = Example
commonName                = Test
openssl req -new -key PRIVATE_KEY_FILE \
 -out CSR_FILE \
 -config ssl_config

Using a Self-Signed Certificate

openssl x509 -req \
 -signkey PRIVATE_KEY_FILE \
 -in CSR_FILE \
 -out CERTIFICATE_FILE.pem \
 -extfile ssl_config \
 -extensions extension_requirements \
 -days 365

Create a self-managed SSL certificate resource

gcloud compute ssl-certificates create my-cert \
 --certificate=CERTIFICATE_FILE.pem \
 --private-key=PRIVATE_KEY_FILE \
 --global

Creating an IAP connector deployment

export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")

gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com --role=roles/owner
gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$PROJECT_NUMBER@cloudservices.gserviceaccount.com --role=roles/owner
Click Enable APIs and Continue
Select the User generated certificate
Select certificate you created: my-cert
Select the default network and leave Subnet unselected.
External facing application URL: {{IPV4 Public IPv4 DNS}}
Application name: demo-app
Region: us-central1
On-prem endpoint type: Fully Qualified Domain Name (FQDN)
FQDN endpoint: {{IPV4 Public IPv4 DNS}}
Protocol: HTTP
Port: 80
Toggle IAP for the load balancer
Then turn it on

Penutup

Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE). Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.

Exit mobile version