Step 1: Building the network

Author: Dean Suzuki (Last Updated: 8/23/20)

Abstract

The first step to building a Windows infrastructure in AWS is to build out the network infrastructure. In this lab, you will leverage an AWS Quick Start to build out a secure highly available network infrastructure show below.

Introduction

AWS has created a series of Quick Starts to help our customers deploy solutions quickly. The AWS Quick Start that you will be using can be found (here) which will deploy the above network infrastructure and a remote desktop gateway server.

Depending upon the amount of time available for the lab, the Quickstart may have been already deployed into your environment. Please check with the lab proctor.

Section 1: Use CloudFormation to build the network

AWS Quick Starts leverage AWS CloudFormation which is AWS’s Infrastructure as Code (IaC) service that allows you to create infrastructure based upon a template (written in YAML or JSON). The template is uploaded to the CloudFormation service and itc creates the infrastructure described in the template.

Creating a Key Pair

In order to secure access to your EC2 instances, AWS uses private/public key technology and this takes the form of an AWS key pair. With Windows instances, the key pair is used to obtain the administrator password via the Amazon EC2 console. In this section, you will create the key pair.

  1. Login to the AWS Console and navigate to the EC2 Management console. To get to the EC2 management console, in the find a service search box, type EC2.
  2. Make sure you are using the “N.Virginia” region. Look at the upper right hand corner of the screen and switch to the “US East (N. Virginia)” region if you are in a different region.
  3. On the left menu bar, select Key Pairs.
  4. Select Create key pair.
  5. In the Key pair screen,

    a. For Name, enter WinLab-KeyPair

    b. For File format, check pem.

    c. Press Create key pair

  6. Important: AWS downloads the private key portion of the key pair. It will have a name like WinLab-KeyPair.pem. Be sure to save the PEM file and record the location of this file. You will use this file later to decrypt the administrator password. You won’t be able to re-download this file later.

Running the Quick Start CloudFormation Template

In this section, you are going to get hands-on experience with AWS CloudFormation to build out the base network infrastructure.

  1. Login to the AWS Console and navigate to the CloudFormation (CFN) console. In the find a service search box, type CloudFormation.
  2. Make sure you are using the “N.Virginia” region. Look at the upper right hand corner of the screen and switch to the “US East (N. Virginia)” region if you are in a different region.
  3. Click on Create stack with new resources (standard)
  4. In the Create stack screen, enter the values as shown below and click on Next.

    • Prepare Template: Template is ready

    • Template Source: Amazon S3 URL

    • Amazon S3 URL:

      https://aws-quickstart.s3.amazonaws.com/quickstart-microsoft-rdgateway/templates/rdgw-master.template
      

  5. For the stack name, enter WinVPC.

  6. For the Availability Zones, select us-east-1a and us-east-1b.

  7. For VPC CIDR, Private Subnet 1 & 2 CIDR, and Public Subnet 1 & 2 CIDR, leave the default values.

  8. For the Allowed Remote Desktop Gateway External Access CIDR, enter 0.0.0.0/0. This will allow any IP to be able to RDP into the RDP gateway. This is not a secure configuration and it is not recommended for a production deployment. We will go back and tighten this down after the CloudFormation stack has been deployed.

  9. In the Key Pair Name, select the Key Pair that you created earlier (e.g. WinLab-KeyPair).

  10. For the Remote Desktop Gateway Instance Type, leave the default (t2.large).

  11. For the Number of RDGW Hosts, leave the default (1). Please note that the above diagram shows two RDGW hosts (one in each Availablity Zone (AZ)). For the purposes of the lab, we are starting with one RDGW host to reduce the amount of time that the CloudFormation process takes to run. However in the diagram, you can see that the RDGW hosts are deployed into an AutoScaling group. After the CloudFormation process finishes, you can examine the AutoScaling group. Ask the instructor how Autoscaling groups work. Autoscaling groups are a key service tha can provide scalability and availability to your application.

  12. For Admin User Name, leave the default (StackAdmin).

  13. For Admin Password, set a password that you will remember. Note, the password complexity requirements (8 characters minimum, and needs letters, numbers, and symbols)

  14. For Domain DNS Name, leave the default (example.com).

  15. For the remaining options, leave the default values and click Next.

  16. On the Configure Stack Options, review the options. Click Next.

  17. On the Review WinVPC screen, review the settings. Check the two checkboxes and click Create Stack.

The template takes about 15 minutes to complete. During this time, we will review what the CloudFormation template is creating.

Once stack creation is completed, the status on the stack creation will change to CREATE_COMPLETE.

Review the Resources Created

  1. Click on the Events tab to see what the CloudFormation engine was doing.
  2. Click on the Resources tab to see what resources that the CloudFormation engine created. In this scenario, the CloudFormation template (WinVPC) called two nested Cloudformation (CF) templates. The first CF template (WinVPC-VPCStack) created the AWS networking components. The second CF template (WinVPC-RDGWStack) created the Remote Desktop Gateway server. This is a common architecture where you may create CF template that is called by other CF templates. This process makes it easier to modularize the CF template development and reuse CF templates.

In this section, you got a glimpse of the power of Infrastructure as Code (IaC) and how it enables you to quickly create repeatedly infrastructure. With IaC, you can check-in the CloudFormation template into a code library and have a history of your infrastructure. If you need to roll back to a previous version of your infrastructure, you can run the prior version of the CloudFormation template. If you need to deploy the infrastructure into a new environment, then run the template in the new environment. For example, you could create the CloudFormation template in a Development environment. When you have debugged your template and are ready to deploy it to a Staging, Testing, or Production environment, you just need to run the CloudFormation template in that environment and you will have an exact implementation of the infrastructure as documented in your template.

Securing the Environment

We are going to tighten the security of the RDGW access.

  1. Login to the AWS Console and navigate to the EC2 Management console. To get to the EC2 management console, in the find a service search box, type EC2.
  2. Make sure you are using the “N.Virginia” region. Look at the upper right hand corner of the screen and switch to the “US East (N. Virginia)” region if you are in a different region.
  3. In the left hand menu, click Security Groups.
  4. Select the checkbox for the security group that has a description, “Enable RDP access from the Internet
  5. In the bottom area, select the Inbound tab.
  6. Press Edit.
  7. Click the Delete next to the rule that contain the Port Range, 3391 to delete the rule
  8. Click the Delete next to the rule that contain the Port Range, 443 to delete the rule
  9. On the RDP rule in the Source column, click the dropdown and select “My IP
  10. On the ICMP rule in the Source column, click the dropdown and select “My IP
  11. Press Save.

When securing your application, you want to make sure to only open the ports that your application needs. In this example, you removed port 3391 and 443, since you will not be using those ports in these labs. Also, you have locked down the access so that the RDP and ICMP connections can only originate from your public IP address. Some customers lock down access so that RDP and ICMP connections can only originate from the public IP addresses of their corporate network. Please ask a question if this is not clear.

Section 2: Connecting to the RD Gateway Server

You will next login to the RDGW server using Remote Desktop Protocol (RDP). If you connecting from a Windows computer, RDP should be already present. If you are using a Mac, please download the RDP client here.

  1. Log in to the AWS Console and go to Elastic Compute Cloud (EC2) console.
  2. On the left hand menu, select Instances.
  3. Select the checkbox near to the RDGW server.
  4. Click the Connect button. Click the “Download Remote Desktop File” to download the RDP file.
  5. Click the Get Password button.
  6. Click the Choose File button and browse to the location of the key pair file that you downloaded earlier.
  7. Click Decrypt Password.
  8. Once the password is decrypted, copy it to the clipboard.
  9. Double click the RDP connection file that you downloaded and paste the password from the clipboard into the password field.

Congratulations!

You should be logged into the RDGW server. This is one approach to providing your administrator the ability to remote desktop into your AWS environment.

In recap in this lab, you learned about:

  • AWS Regions and Availability Zones

  • Virtual Private Cloud (VPC)

  • Public and Private Subnets

  • Infrastructure as Code (IaC)

  • CloudFormation

  • Key Pairs

  • Autoscaling Groups

  • How to secure your environment using Security Groups

  • How to RDP login to a Windows RDGW host

  • An architectural pattern to access your AWS environment using a RDGW host/jump server.

Although not specifically highlighted, the architecture that you deployed also included an Internet Gateway and Route Tables.

Please reflect on the above concepts and ask your lab facilitator if any of the above concepts are not clear.