SORACOM Developers

Documents

Using SORACOM Canal to Connect to a Private Network

Overview

SORACOM Canal (Canal) is a private connection service that directly connects Amazon Web Services (AWS)'s Amazon Virtual Private Cloud (VPC) to the SORACOM platform.

The SORACOM platform is built on AWS 's VPC. Therefore, by using the "VPC peering" function connecting the VPCs, SORACOM's VPC can be connected to the customer's VPC within the closed environment of AWS.
The VPC for a peering connection with Canal applies to AWS in the Asia-Pacific (Tokyo) Region.

For the peering connection with the customer's VPC, Canal uses a gateway between SORACOM Air, called a Virtual Private Gateway ( VPG), and the customer's VPC .

Canal 概要

When the VPG is created, you can set whether to route it to the Internet or set it only to the peering destination. If it is set to only the peering destination, it will be a completely private network with Internet access not permitted.
Whether VPG is enabled or not can be set for each SORACOM Air group.

Therefore, even if the Air SIM is the same, by changing the group it belongs to, the customer's access to the VPC can be permitted or not.

Canal 概要

The steps for starting to use Canal is shown below. (This guide will also use the steps below.)

Based on the four steps above, the procedure is explained below. For [Setting AWS] Create a VPC and EC2 Instancean AWS Cloud Formation template is provided.

This guide assumes the following:

For details on AWS's VPC also refer to the guide below.

Step 1: Create a VPC and EC2 Instance.

We will now create the part encircled by the red dotted line.

VPC

Step 1 has the following two parts.

Note that the AWS Cloud Formation template can be used to create the VPC and EC2 and set the network, etc. To use the AWS Cloud Formation template to create VPC and EC2, see[Reference] Using Cloud Formation Template to Create VPC and EC2 Instance.

Creating a VPC

Log into AWS, and select "VPC" on the AWS Management Console. (Select the Tokyo Region.)
The VPC dashboard below will appear. Click on "Start VPC Wizard."

VPC

For "Select VPC Setting" below, select "VPC having 1 public subnet."

VPC

Set the IP CIDR block, VPC name, and public subnet.
Set the name to "Canal-Test" and use the default for the other settings. Click on "Create VPC."

VPC

The VPC will be created as shown below.

VPC

Next, connect the Internet gateway to the VPC.
Select VPC and click on Routing Table under "Overview."

VPC

For the Routing Table, set the Internet gateway for the "0.0.0.0/0" target.

VPC

Click on "Save."

Creating the EC2 Instance

Next, create the EC2 Instance in the VPC that was created. (This guide has the device connected to the private network via Canal to access this EC2 Instance.)

On the AWS Management Console, select EC2.

VPC

For the "Amazon Machine Image (AMI)," select Amazon Linux.

VPC

Select the Instance Type. For this guide, t2.micro and t2.nano would be sufficient. Click on "Next step: Set Instance Details."

VPC

In "Step 3: Setting Instance Details," for "Network," select the VPC ("Canal-Test" in this guide) that has been created. Also, since you will log into the Instance via the Internet with SSH and do the setup, enable the "Automatically assign public IP."

Set the Instance's primary IP. (Here, set it to "10.0.0.254".)

VPC

In "Step 4: Add storage", set the default. In "Step 5: Append Instance tag", give the Instance a name. (Here, name it "canal-test-server".)

VPC

In "Step 6: Security group settings", add the HTTP port.

VPC

Click on "Check and Create".

When creating the Instance, the "Select existing key pair or create a new key" window below will appear. Use the key file to connect to the Instance with SSH.

If there is an existing key, select it. If there is not one, create a new key pair and download the key pair.

VPC

Next, connect to the Instance and install Apache.

Select the created Instance and click "Connect." The Connect command will appear. Login with SSH, etc. (With OSX use Terminal. With Windows, use Tera Term, etc.)

VPC

Here, use the command below to login with SSH.

$ ssh -i "xxx-dev01.pem" ec2-user@ec2-52-196-xxx-xxx.ap-northeast-1.compute.amazonaws.com

After login, execute the command below and install Apache.

$ sudo yum install httpd

Next, execute the command below and startup Apache.

$ sudo /etc/init.d/httpd start

Startup the PC's browser and try and access it.

To access Apache, use the domain (for example, ec2-52-196-xxx-xxx.ap-northeast-1.compute.amazonaws.com) that was used to login with SSH.

Access to Apache has succeeded.

VPC

Here, EC2 is being accessed with the global IP address. But by setting up Canal, access will be possible with a private address.

This completes "Step 1: Create a VPC and EC2 Instance."

Step 2: Create VPG and set VPC Peer Connection.

This is where you create a VPG and set a VPC Peer Connection. The parts encircled by the red dotted line will be created.

VPG

Creating a VPG

Log into the SORACOM User Console.

On the menu at the top of the screen, select "Private Network Connection."

VPG

Click on "Add VPG".

VPG

Enter the VPG's name.

VPG

"Use Internet Gateway" is for setting routing to the Internet (as explained at the beginning) or for setting only the peering destination.
If "Use Internet Gateway" is set to OFF, it will make it a completely private network with no permission to access the Internet. Here, set the Internet Gateway to ON.

When you click "Create", "Status" will become "Creating" as shown below.

VPG

After about 3 minutes when "Executing" is displayed, the creation would be completed.

Next, set the Peer Connection for the VPC created in "Step 1".

To set the Peer Connection, the following information is necessary:

You can see the AWS account No. on the AWS Management Console. On the upper right, click on "Support" and select "Support Center." The AWS account No. is on the upper right of the Support Center.

VPG

VPG

You can check the VPC ID and VPC's address range (VPC CIDR) on the AWS Management Console's VPC Dashboard. See the list under "VPC".

VPG

Setting the VPC Peer Connection

Set the Peer Connection.

Select the VPG that was just created.

VPG

Under "Basic Setting" and "VPC Peer Connection", click on "Add".

VPG

Enter the information below, then click "Create".

VPG

With this operation, SORACOM is requesting a peer connection to the VPC created with "Step 1: Create VPC and EC2 Instance."

This completes "Step 2: Create VPG and set VPC Peering Connection."

Step 3: Accept the Peering Connection and set the network.

Here, with the VPC created with "Step 1: Create VPC and EC2 Instance", accept the peering connection and set the network (routing table setting).

It will switch from the AWS Management Console to the VPC Dashboard.
Select "VPC Peering". Check for the peering request similar to the below.

VPG

Select the applicable peering and under "Action," select "Accept request."

VPG

The window below will appear. Select "Change routing table immediately" and change the routing table.

VPG

Select the routing table that includes the Instance, and do the peering connection (pcx-xxxxxx) that accepted "100.64.0.0/10". If you create it according to this guide's procedure, "VPC having 1 public subnet" will have been created. The "clearly associated" subnet will become a routing table displayed as "1 subnet".

Since the VPG's address range will be 100.64.0.0/10, set this address's destination as VPG.

VPG

Click "Save".

This completes the procedure to accept the peering connection and to set the routing table.

Step 4: Connect to private network.

We will now finally connect to the private network via Canal.

Follow the procedure below.

Create a group, and set VPG.

On the SORACOM User Console, select "Group".

Click on "Add" and enter the group name to create a group.

Click on the created group, and on the group screen under "Basic Settings," open "SORACOM Air Settings."

Under "SORACOM Air Settings", there is "VPG(Virtual Private Gateway) Settings" as shown below. Set it to "ON" and select the "VPG" created in Step 2.

Click on "Save".

The Air SIM included in the group that specified the VPG will use the VPG.
By switching the group that the Air SIM belongs to, the VPG can be switched between Used and Unused even with the same Air SIM. This can enable or disable the connection to the private network.

Put the Air SIM in a group.

On the "SIM Management" menu, select the SIM to be connected, and click on "Change affiliated group".

Put the Air SIM in the group that was just created.

Use Air SIM to access with a private address.

With the group that will use the VPG, access the EC2 Instance in the VPC that was created with "Step 1: Create VPC and EC2 Instance."

Since the group has been changed, disconnect the devices that are already connected after changing the settings. Then reconnect them. (Set the Air Plain mode to On/Off or set the SIM status temporarily to "Pause", etc.)

Startup the browser and enter the EC2 Instance's private address.

Successful access with the "10.0.0.254" private address!

This completes the "Using SORACOM Canal to Connect to a Server with a Private Network" procedure.

By using Canal, you can access VPC without going through the Internet. Also, VPC need not open a port to the Internet.

This guide created the VPG's Internet gateway with "ON" set. If "OFF" (peer connection destination only) is set, it will be a completely private network with Internet access not permitted. This can also eliminate the risk of malware from the Internet from infecting devices.

[Reference] Using the Cloud Formation Template to Create VPC and EC2 Instance

This procedure uses the Cloud Formation template to create the VPC and EC2 created and set with "Step 1: Create a VPC and EC2 Instance."

The EC2 Instance's key pair is necessary. First, create the key pair.
On the AWS Management Console's EC2 Dashboard, click on "Key Pair" to proceed with "Create Key Pair."

Enter the key pair name.

Next, use the Cloud Formation template to create VPC and EC2. Download the Cloud Formation templatehere.

On the AWS Management Console's Cloud Formation Dashboard, click on "Create Stack".

Select the file that was downloaded fromhere.

Enter the "Stack name" and "KeyName". Set any "Stack name." For the "KeyName", use the key pair name was the created above.

Click on "Next".

Click on "Create".

When the Status is "CREATE_COMPLETE", the stack has been created.

See the "Outputs" tab for the information necessary to create a Canal.

Next, do Step 2: [SORACOM Settings] to create a VPG, then set the VPC peering connection.

Getting Started

SORACOM Air for Cellular

SORACOM Air for Sigfox

SORACOM Beam

SORACOM Canal/Direct/Door

SORACOM Endorse

SORACOM Funnel

SORACOM Gate

SORACOM Harvest

SORACOM Inventory

SORACOM Junction

SORACOM Krypton

SORACOM Lagoon

Service Detail

Developer Tools

pagetop