Using SORACOM Canal to Connect to a Private Network
SORACOM Canal (Canal) is a private connection service that directly connects Amazon Web Services (AWS)'s Amazon Virtual Private Cloud (VPC) to the SORACOM platform.
The SORACOM platform is built on AWS 's VPC. Therefore, by using the "VPC peering" function connecting the VPCs, SORACOM's VPC can be connected to the customer's VPC within the closed environment of AWS.
The VPC for a peering connection with Canal applies to AWS in the Asia-Pacific (Tokyo) Region.
For the peering connection with the customer's VPC, Canal uses a gateway between SORACOM Air, called a Virtual Private Gateway ( VPG), and the customer's VPC .
When the VPG is created, you can set whether to route it to the Internet or set it only to the peering destination. If it is set to only the peering destination, it will be a completely private network with Internet access not permitted.
Whether VPG is enabled or not can be set for each SORACOM Air group.
Therefore, even if the Air SIM is the same, by changing the group it belongs to, the customer's access to the VPC can be permitted or not.
The steps for starting to use Canal is shown below. (This guide will also use the steps below.)
- Step 1: [Setting AWS] Create VPC and EC2 Instance.
- Step 2: [Setting SORACOM] Create VPG and set VPC Peering Connection.
- Step 3: [Setting AWS] Accept the Peering Connection and set the network.
- Step 4: Connect to the private network.
Based on the four steps above, the procedure is explained below. For [Setting AWS] Create a VPC and EC2 Instancean AWS Cloud Formation template is provided.
This guide assumes the following:
- You have a SORACOM account.
- You have SORACOM Air's SIM (Air SIM) and a usable device or smartphone.
- You have an AWS account.
For details on AWS's VPC also refer to the guide below.
Step 1: Create a VPC and EC2 Instance.
We will now create the part encircled by the red dotted line.
Step 1 has the following two parts.
- Creating a VPC
- Creating an EC2 Instance (The Instance to be accessed by the device.)
Note that the AWS Cloud Formation template can be used to create the VPC and EC2 and set the network, etc. To use the AWS Cloud Formation template to create VPC and EC2, see[Reference] Using Cloud Formation Template to Create VPC and EC2 Instance.
Creating a VPC
Log into AWS, and select "VPC" on the AWS Management Console. (Select the Tokyo Region.)
The VPC dashboard below will appear. Click on "Start VPC Wizard."
For "Select VPC Setting" below, select "VPC having 1 public subnet."
Set the IP CIDR block, VPC name, and public subnet.
Set the name to "Canal-Test" and use the default for the other settings. Click on "Create VPC."
The VPC will be created as shown below.
Next, connect the Internet gateway to the VPC.
Select VPC and click on Routing Table under "Overview."
For the Routing Table, set the Internet gateway for the "0.0.0.0/0" target.
Click on "Save."
Creating the EC2 Instance
Next, create the EC2 Instance in the VPC that was created. (This guide has the device connected to the private network via Canal to access this EC2 Instance.)
On the AWS Management Console, select EC2.
For the "Amazon Machine Image (AMI)," select Amazon Linux.
Select the Instance Type. For this guide, t2.micro and t2.nano would be sufficient. Click on "Next step: Set Instance Details."
In "Step 3: Setting Instance Details," for "Network," select the VPC ("Canal-Test" in this guide) that has been created. Also, since you will log into the Instance via the Internet with SSH and do the setup, enable the "Automatically assign public IP."
Set the Instance's primary IP. (Here, set it to "10.0.0.254".)
In "Step 4: Add storage", set the default. In "Step 5: Append Instance tag", give the Instance a name. (Here, name it "canal-test-server".)
In "Step 6: Security group settings", add the HTTP port.
Click on "Check and Create".
When creating the Instance, the "Select existing key pair or create a new key" window below will appear. Use the key file to connect to the Instance with SSH.
If there is an existing key, select it. If there is not one, create a new key pair and download the key pair.
Next, connect to the Instance and install Apache.
Select the created Instance and click "Connect." The Connect command will appear. Login with SSH, etc. (With OSX use Terminal. With Windows, use Tera Term, etc.)
Here, use the command below to login with SSH.
$ ssh -i "xxx-dev01.pem" email@example.com
After login, execute the command below and install Apache.
$ sudo yum install httpd
Next, execute the command below and startup Apache.
$ sudo /etc/init.d/httpd start
Startup the PC's browser and try and access it.
To access Apache, use the domain (for example, ec2-52-196-xxx-xxx.ap-northeast-1.compute.amazonaws.com) that was used to login with SSH.
Access to Apache has succeeded.
Here, EC2 is being accessed with the global IP address. But by setting up Canal, access will be possible with a private address.
This completes "Step 1: Create a VPC and EC2 Instance."
Step 2: Create VPG and set VPC Peer Connection.
This is where you create a VPG and set a VPC Peer Connection. The parts encircled by the red dotted line will be created.
Creating a VPG
Log into the SORACOM User Console.
On the menu at the top of the screen, select "Private Network Connection."
Click on "Add VPG".
Enter the VPG's name.
"Use Internet Gateway" is for setting routing to the Internet (as explained at the beginning) or for setting only the peering destination.
If "Use Internet Gateway" is set to OFF, it will make it a completely private network with no permission to access the Internet. Here, set the Internet Gateway to ON.
When you click "Create", "Status" will become "Creating" as shown below.
After about 3 minutes when "Executing" is displayed, the creation would be completed.
Next, set the Peer Connection for the VPC created in "Step 1".
To set the Peer Connection, the following information is necessary:
- AWS account No.
- Connection's VPC ID
- VPC 's address range (CIDR)
You can see the AWS account No. on the AWS Management Console. On the upper right, click on "Support" and select "Support Center." The AWS account No. is on the upper right of the Support Center.
You can check the VPC ID and VPC's address range (VPC CIDR) on the AWS Management Console's VPC Dashboard. See the list under "VPC".
Setting the VPC Peer Connection
Set the Peer Connection.
Select the VPG that was just created.
Under "Basic Setting" and "VPC Peer Connection", click on "Add".
Enter the information below, then click "Create".
With this operation, SORACOM is requesting a peer connection to the VPC created with "Step 1: Create VPC and EC2 Instance."
This completes "Step 2: Create VPG and set VPC Peering Connection."
Step 3: Accept the Peering Connection and set the network.
Here, with the VPC created with "Step 1: Create VPC and EC2 Instance", accept the peering connection and set the network (routing table setting).
It will switch from the AWS Management Console to the VPC Dashboard.
Select "VPC Peering". Check for the peering request similar to the below.
Select the applicable peering and under "Action," select "Accept request."
The window below will appear. Select "Change routing table immediately" and change the routing table.
Select the routing table that includes the Instance, and do the peering connection (pcx-xxxxxx) that accepted "100.64.0.0/10". If you create it according to this guide's procedure, "VPC having 1 public subnet" will have been created. The "clearly associated" subnet will become a routing table displayed as "1 subnet".
Since the VPG's address range will be 100.64.0.0/10, set this address's destination as VPG.
This completes the procedure to accept the peering connection and to set the routing table.
Step 4: Connect to private network.
We will now finally connect to the private network via Canal.
Follow the procedure below.
- Create a group, and set VPG.
- Put Air SIM in a group.
- From Air SIM, use a private address to access the network.
Create a group, and set VPG.
On the SORACOM User Console, select "Group".
Click on "Add" and enter the group name to create a group.
Click on the created group, and on the group screen under "Basic Settings," open "SORACOM Air Settings."
Under "SORACOM Air Settings", there is "VPG(Virtual Private Gateway) Settings" as shown below. Set it to "ON" and select the "VPG" created in Step 2.
Click on "Save".
The Air SIM included in the group that specified the VPG will use the VPG.
By switching the group that the Air SIM belongs to, the VPG can be switched between Used and Unused even with the same Air SIM. This can enable or disable the connection to the private network.
Put the Air SIM in a group.
On the "SIM Management" menu, select the SIM to be connected, and click on "Change affiliated group".
Put the Air SIM in the group that was just created.
Use Air SIM to access with a private address.
With the group that will use the VPG, access the EC2 Instance in the VPC that was created with "Step 1: Create VPC and EC2 Instance."
Since the group has been changed, disconnect the devices that are already connected after changing the settings. Then reconnect them. (Set the Air Plain mode to On/Off or set the SIM status temporarily to "Pause", etc.)
Startup the browser and enter the EC2 Instance's private address.
Successful access with the "10.0.0.254" private address!
This completes the "Using SORACOM Canal to Connect to a Server with a Private Network" procedure.
By using Canal, you can access VPC without going through the Internet. Also, VPC need not open a port to the Internet.
This guide created the VPG's Internet gateway with "ON" set. If "OFF" (peer connection destination only) is set, it will be a completely private network with Internet access not permitted. This can also eliminate the risk of malware from the Internet from infecting devices.
[Reference] Using the Cloud Formation Template to Create VPC and EC2 Instance
This procedure uses the Cloud Formation template to create the VPC and EC2 created and set with "Step 1: Create a VPC and EC2 Instance."
The EC2 Instance's key pair is necessary. First, create the key pair.
On the AWS Management Console's EC2 Dashboard, click on "Key Pair" to proceed with "Create Key Pair."
Enter the key pair name.
Next, use the Cloud Formation template to create VPC and EC2. Download the Cloud Formation templatehere.
On the AWS Management Console's Cloud Formation Dashboard, click on "Create Stack".
Select the file that was downloaded fromhere.
Enter the "Stack name" and "KeyName". Set any "Stack name." For the "KeyName", use the key pair name was the created above.
Click on "Next".
Click on "Create".
When the Status is "CREATE_COMPLETE", the stack has been created.
See the "Outputs" tab for the information necessary to create a Canal.