Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE)

admin

1 year ago

“Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE)”

Daftar Isi

Toggle

Pengantar

Di lab ini, Anda akan diberi Google Cloud Project dan akun Amazon Web Services. Anda akan memanfaatkan fitur BeyondCorp Enterprise (BCE) untuk mengamankan aplikasi yang berjalan di kedua cloud.

Praktikum

Create GCP Cloud Router

Open the GCP console and go to NETWORKING > Hybrid connectivity > Cloud routers > Create router
Ikuti konfigurasi berikut

Name: cloud-router
Network: default
Region: us-central1(lowa)
Google ASN value: 65001

Select Advertise all subnets visible to the Cloud Router in order to expose     your subnets to BGP routing and to AWS router.

Klik Create

Create GCP Cloud HA VPN gateway

Buka NETWORKING > Hybrid connectivity > VPN > Create VPN Connection
Select High-availability (HA) VPN then click Continue.

Tambahkan konfigurasi berikut

    VPN Gateway Name: ha-vpn

    Network: default

    Region: us-central1(lowa)

Click Create & Continue

Create the AWS Customer Gateway

Buka VPC > Virtual Private Network (VPN) > Customer Gateways > Create Customer Gateway

Name tag: gcp
BGP ASN: 65001
IP address: Enter the IP address from interface 0 from the "ha-vpn" in the GCP project

Click Create customer gateway

Create the AWS Virtual private gateway

Buka VPC > Virtual Private Network (VPN) > Virtual Private Gateways > Create Virtual Private Gateway

    Name tag: vpn
    Select Custom ASN and set: 65002

Click Create Virtual Private Gateway

After the Virtual Private gateway has been created, select the Virtual Private gateway and go to actions and Attach to VPC. Then select the Default VPC.
Click Attach to VPC

Create AWS Site-to-site VPN Connection

Buka VPC > Virtual Private Network (VPN) > Site-to-site VPN Connections > Create VPN Connection

Name tag: gcp
Target gateway type: Virtual private gateway
Virtual private gateway: {{Select the virtual private gateway you created previously}}
Customer gateway: Existing
Customer gateway ID: {{Select the customer gateway created previously}}
Routing options: Dynamic

Leave the default values for the rest of the inputs and click Create VPN connection

After the Site-to-site VPN connection is created, select the VPN connection and click on the download configuration.

Vendor: Cisco Systems, Inc.
Platform: ASA 5500 Series
Software: ASA 9.7+ VTI
IKE version: ikev1

Click Download

Tunnels Configuration

he first Outside IP address will be used to create the peer VPN gateway in GCP
When configuring the BGP session we will be using the Inside tunnel subnet values

Calculating Cloud Router IP - GCP link:
Take the Inside tunnel subnet IP address + 2
Calculating BGP Peer IP - AWS link:
Take the Inside tunnel subnet IP address + 1

Create GCP Cloud VPN tunnels

Buka NETWORKING > Hybrid connectivity > VPN > Peer VPN Gateways > Create Peer VPN Gateway

Name: aws-vpn
Interfaces: One interface
Interface 0 IP address: Enter the Outside IP address from Tunnel 1 from your AWS site-to-site connections

Click Create
Navigate to Cloud VPN Tunnels tab, then click Create VPN Tunnel

PN gateway: ha-vpn
Peer VPN gateway: aws-vpn
Cloud Router: cloud-router
Associated peer VPN gateway interface: outside IP of tunnel 1 (and tunnel 2 for when you set up the second VPN tunnel)
Set a Name of your choice.
IKE version: IKEv1
Set IKE pre-shared key to what you copied earlier from the configuration txt file.

Click Create and continue
When creating the BGP session

Enter a name for your BGP session
Peer ASN: 65002
Allocate BGP IPv4 address: Select Manually
Cloud Router BGP IP: GCP link of tunnel1, which you calculated earlier
BGP Peer IP: AWS link of tunnel1, which you calculated earlier
Click Save & Continue.
Click SAVE BGP CONFIGURATION.

Enable Route Propagation in AWS Route Table

Buka VPC > Route tables
Select the Route table of the VPC (Default)
Click on the Route Propagation tab then click Edit route propagation
Click Save

Test the connectivity

Creating instance in AWS

click Launch Instance to create the EC2 VM

Under Network settings enable the following

Allow HTTPs traffic from the internet
Allow HTTP traffic from the internet

Click on the Edit icon in the top right of the Networking Settings sections and add the following custom security group. Click add security group rule

Type: Custom TCP
Port range: 8080
Source type: Custom
Source: 0.0.0.0/0

Click Launch instance
After the EC2 instance is created, click on View all instances and select the instance you created to view its details. Copy the Public IPv4 DNS.

Connect to your AWS instance

After the EC2 instance is created, open Cloud Shell in your Google Cloud Platform project, Upload the key (ec2.pem file) to your local Cloud Shell session running in GCP. You can do this by selecting the three dot menu at the top right of Cloud Shell and selecting Upload. You will be prompted to upload a file or folder in the resulting modal input box. Upload your ec2.pem file then proceed.
Run this command to ensure your key is not publicly viewable

chmod 400 ec2.pem

In Cloud Shell, connect to your instance using its Public DNS. Remember to replace the Public DNS below with the one you copied previously

ssh -i "ec2.pem" ec2-user@ec2-18-215-177-176.compute-1.amazonaws.com
sudo yum update
sudo yum install nc

Creating instance in GCP

In your Google Cloud Project, navigate to Compute Engine > VM instances > CREATE INSTANCE to create a Compute Engine instance with the following configuration

Name: my-gcp-vm
Region: us-central1
Zone: us-central1-a

Under Firewall Allow HTTP traffic. Then click Create to create your instance
Once your instance is created, click SSH to connect to your instance
Run the following command to install netcat. Hit enter if prompted to confirm

sudo apt-get install netcat

Netcat from GCP to AWS

In your Cloud Shell session connected to your AWS EC2 instance run the following command to listen on port 8080 using netcat

nc -l -p 8080

Run the following command from your GCP VM ssh session to send a message to your AWS instance

echo "Hello from GCP" | nc {replace with IP from AWS} 8080

Run a web server on the EC2 instance (Link)

Press CTRL+C to stop listening to port 8080.

sudo yum update -y
sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
sudo yum install -y httpd
sudo systemctl start httpd
{{http://ec2-34-224-68-83.compute-1.amazonaws.com/}}

open URL

Create an OAuth Consent Screen

Open the GCP Console and go to APIs & Services > OAuth consent screen.
Select the user type Internal, then click Create
Create an OAuth Consent Screen with the following properties

Create Self-Signed Certificate and OAuth Client

Create a private key and certificate

openssl genrsa -out PRIVATE_KEY_FILE 2048
touch ssl_config

[req]
default_bits              = 2048
req_extensions            = extension_requirements
distinguished_name        = dn_requirements
prompt = no
[extension_requirements]
basicConstraints          = CA:FALSE
keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment
[dn_requirements]
countryName               = US
stateOrProvinceName       = CA
localityName              = Mountain View
0.organizationName        = Cloud
organizationalUnitName    = Example
commonName                = Test

openssl req -new -key PRIVATE_KEY_FILE \
 -out CSR_FILE \
 -config ssl_config

Using a Self-Signed Certificate

openssl x509 -req \
 -signkey PRIVATE_KEY_FILE \
 -in CSR_FILE \
 -out CERTIFICATE_FILE.pem \
 -extfile ssl_config \
 -extensions extension_requirements \
 -days 365

Create a self-managed SSL certificate resource

gcloud compute ssl-certificates create my-cert \
 --certificate=CERTIFICATE_FILE.pem \
 --private-key=PRIVATE_KEY_FILE \
 --global

Creating an IAP connector deployment

export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")

gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com --role=roles/owner
gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$PROJECT_NUMBER@cloudservices.gserviceaccount.com --role=roles/owner

Go to Security > Identity-Aware Proxy. Enable the API then click Go To Identity-Aware Proxy
Click CONNECT NEW APPLICATION > Connect via On-Prem Connector to configure your IAP connector

Click Enable APIs and Continue
Select the User generated certificate
Select certificate you created: my-cert
Select the default network and leave Subnet unselected.

on the next page, “On-premises App Details”, configure your app like below

External facing application URL: {{IPV4 Public IPv4 DNS}}
Application name: demo-app
Region: us-central1
On-prem endpoint type: Fully Qualified Domain Name (FQDN)

Replace the following with your public IPV4 Public IPv4 DNS

FQDN endpoint: {{IPV4 Public IPv4 DNS}}
Protocol: HTTP
Port: 80

Click Done and then Submit

After seeing the error warning sign in the status component:

Toggle IAP for the load balancer
Then turn it on

Penutup

Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE). Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.