ip<\/code><\/pre>\n\n\n\nLinux standard networking command to handle tunnel creation).<\/p>\n\n\n\n
We will skip describing the instance creation and start with the tunnel handler compilation and installation. In this phase, we’ll install Suricata<\/strong>, an open-source network Intrusion Detection System, using the default configuration and updating its rules.<\/p>\n\n\n\napt update\napt install -y build-essential \"Development Tools\"\napt install -y cmake g++ suricata\nsnap install aws-cli --classic\nsuricata-update #update rules for suricata\ncd \/opt\ngit clone https:\/\/github.com\/aws-samples\/aws-gateway-load-balancer-tunnel-handler\ncd aws-gateway-load-balancer-tunnel-handler\ncmake .\nmake\n<\/code><\/pre>\n\n\n\nOur tunnel handler is ready. You will find an executable “gwlbtun” in the current directory; if you invoke it specifying the “-h” parameter, you should be able to see the help page.<\/p>\n\n\n\n
root@ip-10-101-5-238:\/opt\/aws-gateway-load-balancer-tunnel-handler# .\/gwlbtun -h\nAWS Gateway Load Balancer Tunnel Handler\nUsage: .\/gwlbtun [options]\nExample: .\/gwlbtun\n\n -h Print this help\n -c FILE Command to execute when a new tunnel has been built. See below for arguments passed.\n -r FILE Command to execute when a tunnel times out and is about to be destroyed. See below for arguments passed.\n -t TIME Minimum time in seconds between last packet seen and to consider the tunnel timed out. Set to 0 (the default) to never time out tunnels.\n Note the actual time between last packet and the destroy call may be longer than this time.\n -p PORT Listen to TCP port PORT and provide a health status report on it.\n -s Only return simple health check status (only the HTTP response code), instead of detailed statistics.\n -d Enable debugging output.\n -x Enable dumping the hex payload of packets being processed.\n\n---------------------------------------------------------------------------------------------------------\nTunnel command arguments:\nThe commands will be called with the following arguments:\n1: The string 'CREATE' or 'DESTROY', depending on which operation is occurring.\n2: The interface name of the ingress interface (gwi-<X>).\n3: The interface name of the egress interface (gwo-<X>). Packets can be sent out via in the ingress\n as well, but having two different interfaces makes routing and iptables easier.\n4: The GWLBE ENI ID in base 16 (e.g. '2b8ee1d4db0c51c4') associated with this tunnel.\n\nThe <X> in the interface name is replaced with the base 60 encoded ENI ID (to fit inside the 15 character\ndevice name limit).<\/code><\/pre>\n\n\n\nGwlbtun’s task is to establish the GENEVE connection with our GWLB; it also gives you the ability to specify a health check port that the target group will use, so you don’t have to use custom logic to implement one. <\/p>\n\n\n\n
Additionally, it can run a script once the session is created or destroyed. We’ll take advantage of this and write a simple bash script that enables NAT (using iptables) and IP forwarding. Stopping the service will remove them.<\/p>\n\n\n\n
Note: <\/strong> our instance will also need to disable a security feature called “source\/destination check”. This security feature blocks all traffic not originated or directed from or to the current instance as source or destination. As you’ll see, we need to add a role that enables the instance to set this flag by itself.<\/p>\n\n\n\nPlace the following script in the<\/p>\n\n\n\n
<\/p>\n\n\n\n
\/opt\/aws-gateway-load-balancer-tunnel-handler<\/code><\/pre>\n\n\n\ndirectory and name it<\/p>\n\n\n\n
<\/p>\n\n\n\n
tunnel-handler.sh<\/code><\/pre>\n\n\n\n#!\/bin\/bash\n\n# Note: This requires this instance to have Source\/Dest check disabled; we need to assign a role to the ec2 instance to enable and disable it\n\n\necho \"Running tunnel handler script... \"\necho Mode is $1, In Int is $2, Out Int is $3, ENI is $4\n\niptables -F\niptables -t nat -F\nINSTANCE_ID=$(curl 169.254.169.254\/latest\/meta-data\/instance-id\n\ncase $1 in\n \tCREATE)\n\t\t\techo \"Disabling source and destination check.\"\n\t\t\taws ec2 modify-instance-attribute --instance-id=$INSTANCE_ID --source-dest-check\n\n \techo \"Setting up NAT and IP FORWARD\"\n \tiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n \tiptables -A FORWARD -i $2 -o $2 -j ACCEPT\n \techo 1 > \/proc\/sys\/net\/ipv4\/ip_forward\n \techo 0 > \/proc\/sys\/net\/ipv4\/conf\/all\/rp_filter\n \techo 0 > \/proc\/sys\/net\/ipv4\/conf\/$2\/rp_filter\n \t;;\n \tDESTROY)\n\t\t\techo \"Enabling source and destination check.\"\n\t\t\taws ec2 modify-instance-attribute --instance-id=$INSTANCE_ID --no-source-dest-check\n \techo \"Removing IP FORWARD\"\n \techo 0 > \/proc\/sys\/net\/ipv4\/ip_forward\n \techo 1 > \/proc\/sys\/net\/ipv4\/conf\/all\/rp_filter\n \techo 1 > \/proc\/sys\/net\/ipv4\/conf\/$2\/rp_filter\n \t;;\n \t*)\n \techo \"invalid action.\"\n \texit 1\n \t;;\nesac<\/code><\/pre>\n\n\n\nWe now need to write a systemd unit that starts the handler, place it in<\/p>\n\n\n\n
\/lib\/systemd\/system<\/code><\/pre>\n\n\n\nand give it a name. We will use aws-gwlb.service<\/p>\n\n\n\n
[Unit]\nDescription=AWS GWLB Tunnel Handler\nAfter=network.target\n\n[Service] \nExecStart=\/opt\/aws-gateway-load-balancer-tunnel-handler\/gwlbtun -c \/opt\/aws-gateway-load-balancer-tunnel-handler\/tunnel-handler.sh -r \/opt\/aws-gateway-load-balancer-tunnel-handler\/tunnel-handler.sh -p 80\nRestart=always\nRestartSec=5s\n\n[Install]\nWantedBy=multi-user.target\nAlias=aws-gwlb<\/code><\/pre>\n\n\n\nIssue these commands to reload the configuration and enable the service. As this is only a template instance we don’t need to start it now.<\/p>\n\n\n\n
systemctl daemon-reload\nsystemctl enable aws-gwlb<\/code><\/pre>\n\n\n\nYou can now create an AMI and start with the Gateway Load balancer Creation.<\/p>\n\n\n\n
Load Balancer Configuration<\/h2>\n\n\n\n
First, create a Target Group, click on “Target Groups<\/strong>“, and create a new one.
Select “Instances” for the target type, give it a name, and select “GENEVE<\/strong>” as protocol. We will use port 80 as health check target because we told our tunnel handler to use that port (the “-p 80″ command line switch”).<\/p>\n\n\n\n<\/p>\n\n\n