Skip to content

Agilicus Connector in Private VPC In AWS EC2

Overview

You have a Virtual Private Cloud (VPC) in AWS EC2. It has private-only IP addressing. You need to ssh to some hosts within it, or remote desktop, or share some folders, etc. In this example we will show how to install the Agilicus Connector onto a t2.micro instance, with no public IP (and no NAT Gateway), and, use that to reach other instances within the VPC directly. There is no routing, no inbound or outbound connectivity otherwise.

Note: you can also follow these instructions AWS Doc to install a NAT gateway into your VPC, and then install the Agilicus Agent Connector on a single machine within the VPC. This would allow your other VPC components to reach outbound.

In this example we will show a setup where a dual-homed t2.micro

Step 1: Create Private VPC

For this demonstration the private VPC has no NAT gateway, no Internet access. This is an internal only network. You can decide whether it has onwards access to other Amazon services if needed.

Step 3: Create private EC2 Server

For demonstration purposes we create an EC2 server to ssh to.

Step 4: Create dual-homed EC2 instance for Agilicus Connector

This machine will act to straddle the private VPC and the public Internet. It does not route, it does not NAT. No traffic will flow from/to it without going through the Agilicus Identity-Aware Firewall.

OK at this stage we have a VPC with no public IP. We have a private server on it with no public IP. We have a 2nd server, with a public IP, that can reach the devices in the VPC. We will now install the Agilicus Connector to facility onwards ssh.

Now, if we look at the config of the private server, we can see its hostname and IP:

Step 5: Install Agilicus Connector

These instructions are as normal for a Linux host. We create the connector in the web front end, it gives us a command line to run.

We are now given a command line to run. We paste it into the ssh on the Agilicus Gateway server (the one with the public IP):

ubuntu@ip-172-31-13-67:~$ ssh ubuntu@PUBLICIP
ubuntu@ip-172-31-13-67:~$ sudo -i
root@ip-172-31-13-67:~# which curl && (curl -sL agilicus.com/www/releases/secure-agent/stable/install.sh > /tmp/i.sh) || (wget -O - agilicus.com/www/releases/secure-agent/stable/install.sh > /tmp/i.sh); sh /tmp/i.sh XXXXXXXXXX https://auth.dbt.agilicus.cloud
...

 https://auth.dbt.agilicus.cloud/auth?client_id=agilicus-builtin-agent-connector&code_challenge=XXXXXXXXXX&code_challenge_method=S256&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+profile+email+offline_access+urn%3Aagilicus%3Aapplication_service%3A%2A%3Aowner%3F+urn%3Aagilicus%3Aapi%3Aapplications%3Areader%3F+urn%3Aagilicus%3Aapi%3Aapplications%3Aowner%3F+urn%3Aagilicus%3Aapi%3Atraffic-tokens%3Aowner&state=1656984427

Enter verification code: XXXXXXXXXXXXXXXXX
checking code
INFO[2022-07-05T01:27:16Z] Check if the agilicus-agent is already running as a service. If so stop it
INFO[2022-07-05T01:27:16Z] Create a directory at /etc/agilicus/agent
...
INFO[2022-07-05T01:27:17Z] Start agilicus-agent service
INFO[2022-07-05T01:27:18Z] Installation Complete

At this stage we are done, and ready to create an SSH resource in the Agilicus Admin GUI. We do this as normal, first create a network endpoint:

We then add permission:

Now we add a ~/.ssh/config entry:

Host ec2-private-server
 Port 22
 User ec2-user
 ProxyCommand agilicus-agent wscat --oidc-issuer https://auth.dbt.agilicus.cloud --hostname %h --port %p
 IdentityFile /home/don/.ssh/don-ec2.pem

At this stage we are done. We can ssh directly there:

$ ssh ec2-user
ast login: Tue Jul  5 01:36:47 2022 from ip-172-31-13-67.ca-central-1.compute.internal

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-172-31-6-69 ~]$