DEV Community: Dilusha Rasanjana

AWS Certificate Manager Introduced Exportable Public Certificates

Dilusha Rasanjana — Sun, 22 Jun 2025 16:31:33 +0000

It is a big news.....

AWS certificate manager now supports export public certificates issued by AWS. Earlier it was a big issue that aws issued public certificates cannot export and use in other compute workload.

Now when we creating a public certificate using aws certificate manager it ask do we need to create a exportable one or non exportable one.

It is supported to export certificate body, certificate chain and certificate private key. Therefore, we can use certificate’s private key to securely terminate TLS traffic on any compute workload such as EC2, containers, on premises servers and other cloud providers.

Pricing

Exportable public certificate(FQDN) - 15$
Exportable public certificate (Per wildcard name) - 149$
First 10K API calls of export-certificate - free of charge
After that each 10K API calls of export- certificate - 0.50$

Valid Period

These certificates are valid for 13 months.
After 11 month of period ACM renews certificates (60 days before expiration)

Follow me for more articles. Stay Connect with me on linkedin https://www.linkedin.com/in/dilusha-rasanjana/

AWS Client VPN with Mutual Authentication

Dilusha Rasanjana — Sun, 22 Jun 2025 12:34:26 +0000

AWS Client VPN is a managed VPN service that allows users to securely access AWS resources and on-premises networks. Recently, I had to set one up for a customer. In this guide I will explain all the steps to create an aws client vpn with mutual authentication and access an EC2 using client vpn.

I'm using following basic aws network architecture to act as an application environment. Here I am using multi az architecture but it is not a must. You can proceed with a single az architecture.

Prerequisites

AWS account with basic VPC, subnet configurations.
AWS and Client network must not having overlapping CIDR.
AWS EC2 in a private subnet for test connection. (act as application EC2)
Local server connected to a private network.(In this lab I'm using a windows EC2 in 172.20.0.0/16 VPC in another account. It represents a local machine in a private network. )

For this Lab, I'm using 10.0.0.0/16 as AWS VPC CIDR and 172.20.0.0/16 as client side CIDR.

Create Client VPN Subnets and Security Groups

First I'm creating two aws private subnets representing in two availability zones to associate with client vpn endpoint in the next steps. I created that subnets with 10.0.128.0/20 and 10.0.144.0/20 because I have big IP range. You can select it align with your IP plan. Then create a route table with just local route and attach it to these subnets.

Then create a security group without adding any inboud rule and allowing all outbound traffic. This security group use as client vpn endpoint security group in the next steps.

Then we need to add a inbound rule to application ec2 security group which we created earlier in prerequisites section. Add a inbound rule to allow all the traffic from client vpn security group which we created last step.

Create Client and Server Certificates

In this lab I'm using mutual authentication for authenticate users connect users to client vpn. Therefore, we need to create client and server certificates. For that I'm using EasyRSA.

Clone the OpenVPN easy-rsa repo to our local computer

git clone https://github.com/OpenVPN/easy-rsa.git

Move to the easy-rsa/easyrsa3 folder

cd easy-rsa/easyrsa3

Initialize a new PKI environment - It sets up the foundational directory structure and tracking system for your new Certificate Authority

./easyrsa init-pki

build a new certificate authority (CA)

./easyrsa build-ca nopass

Generate the server certificate and key

./easyrsa --san=DNS:server build-server-full server nopass

Generate the client certificate and key.

./easyrsa build-client-full client1.domain.tld nopass

Then copy the server certificate and key and the client certificate and key to a custom folder(in this lab client-vpn). Use following commands.

mkdir ~/client-vpn/
cp pki/ca.crt ~/client-vpn/
cp pki/issued/server.crt ~/client-vpn/
cp pki/private/server.key ~/client-vpn/
cp pki/issued/client1.domain.tld.crt ~/client-vpn
cp pki/private/client1.domain.tld.key ~/client-vpn/
cd ~/client-vpn/

After that import these client and server certificates to AWS ACM. For this lab I'm using aws cli to import certificates to certificate manager. You can use aws cli with aws configure command and access keys.

aws acm import-certificate --region <client vpn creating region> --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt

aws acm import-certificate --region <client vpn creating region> --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt

Create Client VPN Endpoint

Now we have completed all the dependencies that need to create AWS Client VPN Endpoint.

In the first section of client vpn endpoint creation, we need to add client IPv4 CIDR. This CIDR must be within /12 and /22. In this lab our client CIDR is 172.20.0.0/16.

In the authentication information section, first select server certificate that we have imported to certificate manager. For authentication options, select use mutual authentication. Then select client certificate that we have imported to certificate manager.

Connection logging and Client connect handler is not necessary to enable for this lab.

In other parameters section I'm choosing TCP as the transport protocol and enable split tunnel. Split tunnel is very useful to route only traffic that's destined for the VPC (172.20.0.0/16) over the Client VPN tunnel. Traffic that's destined for on-premises resources or internet is not routed over the Client VPN tunnel. Then select our application vpc in the VPC ID section and select client vpn security group that we created in earlier steps.

Then create Client VPN Endpoint.

Target Network Association

Now we can see our client vpn endpoint is create but it is still in pending associate state. We need to associate subnets that we created for client vpn. For that, move to target network association section in the client vpn endpoint options.

Then select associate target network and add vpc and subnet. We should add two subnets as two associations.

It will take few minutes to associate subnets and change state from pending associate to available state.

Authorization Rules

Now our client vpn endpoint is in available state. In this step we should authorization rules. For that move to authorization rule tab and add authorization rule. Add application VPC CIDR as destination network and select Allow access to all users.

Now we have successfully created client vpn endpoint. Then download client configuration file to your local machine.

Configure OpenVPN

Use below url to download open vpn software to your local machine and install it.

https://openvpn.net/client/

Then copy following files to a directory in your local machine.

client1.domain.tld.crt (created earlier)
client1.domain.tld.key (created earlier)
downloaded-client-config.ovpn (downloaded from the aws console)

Then open client configuration file and add following lines.

cert /path/to/client1.domain.tld.crt
key /path/to/client1.domain.tld.key

Modify the endpoint dns name by adding random prefix. Modified configuration file should be previewed as follows.

client
dev tun
proto tcp
remote test.cvpn-endpoint-00d4ab3a058dab099.prod.clientvpn.us-east-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
cert C:/Users/Administrator/Desktop/client-vpn/client1.domain.tld.crt
key C:/Users/Administrator/Desktop/client-vpn/client1.domain.tld.key
<ca>
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIUIATgMiViFxGskuHn1fYH2SoseKMwDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAwwRZHJ0ZWNoLWNsaWVudC12cG4wHhcNMjUwNjIyMDE0NDEy
WhcNMzUwNjIwMDE0NDEyWjAcMRowGAYDVQQDDBFkcnRlY2gtY2xpZW50LXZwbjCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkiFl3yn637L0TKzQdXavXX
9kT42MYSbxYRMhgY8B6KosJUGFQYWHTkz512PIgC6ijdPzCgcrwwL2op/Y8vmIHl
xe+FQ6QDDmXLTUEoOb/aK1C0q/VVQrKDfQVgKcG2xTKzhE1BHJRUUfMoJC4qA+9r
W/O2aiqnHJAu+KwUZc8vBnH7n/Sw24qYVq2GzLcmmTN5MvmYzSNe2lS5eMmi5/14
Bp2JtChCnioJ6lSRKodJosNTfcEULgmtl2RNue5BKiNwkQLsLnRGPepnTCsqNnN7
ZuE3opMWsvgfRq19rHdoRBGRfSpdyGSPvd9VrLlqGN1PoZgmHAKK0I8nXlVHAqzf
kKrJ9jNVboARJmLRgZ0t+4iuWAJHeVs3Swa0CeDM0p2LUVX1kPRoYxT04cG70UDL
wOavHAOwZYvaAWZaRPKXUr9bHWtL/gxkMWje7mm6RdAYkIXzl49Ax3ZJy1+dng4R
TOQdK56+iYgtArZZJtSJK2zmZjNyO6LUV9x0PTK2jZz8GEAIsOkvl8Ga8ZlwDN1t
nmaGFv3urzadECJAO9mtXGU+UDuXz7Wh4+5QotU2/Xn7dcBZ7HU0zVUvddbxlGvO
9w==
-----END CERTIFICATE-----

</ca>


reneg-sec 0

verify-x509-name server name

Connect to AWS Client VPN

Open installed client VPN software and move to upload file section. Then drag and drop or upload the modified configurations file to openvpn software. Then connect it.

Connectivity Check

Now we have connected to AWS environment with client vpn connection. For check the connectivity, I'm trying SSH to application EC2.

In this article you have learned to connect aws resources using aws client vpn with mutual authentication method. My next article will be the same use case with active directory authentication.

Follow me for more articles. Stay Connect with me on linkedin https://www.linkedin.com/in/dilusha-rasanjana/

AWS ECR with Endpoints - Access Errors

Dilusha Rasanjana — Sat, 10 May 2025 13:18:29 +0000

The AWS Elastic Container Registry (ECR) is a fully managed Docker container registry that makes it easy for developers to share and deploy container based applications. So consider it a safe and scalable repository for Docker container images. In this followup i will point out a few points you should be aware of before using ECR.

When we store a image in amazon ECR repository, amazon will store that images at backend using S3 bucket. This S3 bucket is unique for each region. This does not affect our AWS architecture until we make use of AWS endpoints to reach ECR or S3 buckets.

1. When our architecture designed to restrict internet access,

We need to create AWS interface endpoint for access ECR and interface/gateway endpoint to access S3 bucket that images are actually saved. If we use a specific endpoint policy to restrict access, S3 bucket ARN must be allowed in it. The following is the Amazon Resource Name (ARN) of the Amazon S3 bucket containing the layers for each Docker image.

arn:aws:s3:::prod-<region>-starport-layer-bucket/*

NOTE : You must update region name in the bucket arn.

2. When our architecture has one or more private S3 buckets and VPC has internet access,

Now because we have an internet connection you can make your own decision, if an interface endpoint is required to access ECR in this particular case. It is optional.

However, we have to add interface/gateway endpoint, to access private S3 buckets. If we are using endpoint policy to restrict access, ECR image storing s3 bucket ARN should be allowed in endpoint policy. Otherwise, ECR will return errors when trying to work with ECR repositories. Refer to the following example.

Failed to pull image "123456789.dkr.ecr.ap-southeast-1.amazonaws.com/ecr_repo:1.1": failed to pull and unpack image "123456789.dkr.ecr.ap-southeast-1.amazonaws.com/ecr_repo:1.1": failed to copy: httpReadSeeker: failed open: unexpected status code https://123456789.dkr.ecr.ap-southeast-1.amazonaws.com/ecr_repo/blobs/sha256:7fa43ee6781f1f46033bd360df783c66897d544d2aafceec4f55b1ebd2497eee : 403 Forbidden

You can use the following policy to restrict the access to s3 bucket.

{
        "Version": "2008-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "*"
                },
                "Action": "*",
                "Resource": [ "arn:aws:s3:::prod-<regeion name>-starport-layer-bucket/*",
                              "<your-s3-bucket-arn>" ]

            }
        ]
    }

NOTE : You must update region name in the bucket arn.

These two use cases will help you to build applications using both AWS EKS and ECS.

Follow me for more articles. Stay Connect with me on linkedin https://www.linkedin.com/in/dilusha-rasanjana/