Using Algo To Secure Access to AWS Resources

If you’re like me, you’re running your RDS databases with full public access to port 5432 because you have to debug and make queries on the database. But what do Transunion, Sony, and now even Desjardins have in common? Data breaches. So we have to secure those databases somehow, or end up costing both ourselves and our customers.

At Wowa, we wanted something easy and simple to setup, and Algo was an ideal match. It is a server and deployment script all-in-one with support for popular cloud hosts such as Azure, Google Cloud, and AWS EC2. It uses Wireguard behind the scenes, which is both efficient and highly secure.

To start, you should begin with a Linux system (or SSH access to one) or Mac OSX. Algo doesn’t support Windows, and while you can try using Windows Subsystem for Linux (WSL) to initiate it, I found that the latest version (11/1/2019) refused to run due to ansible rejecting directory permissions.

Deployment to an AWS EC2 instance was straightforward with the instructions provided on their main readme and IAM instructions. Once you have the Wireguard VPN server running, you’ll realize that it’s in a newly generated VPC and not the ones you have your RDS instances running in.

Connecting To Your VPC

In order to change the VPC of the server and connect it to your databases, you have to do three things: 1. Create a new security group for the new server, 2. Reinitiate the server in your selected VPC, 3. Reassign the Elastic IP to the new server.

To create a new security group, head to your EC2 Dashboard and find Security Groups under Network and Security. Click Create Security Group and a modal should pop up. Name your security group, give it a description, and copy the inbound/outbound rules from the default Algo setup:

To reinitate the server in your VPC, we are going to have to replicate it. First stop your instance by selecting the Algo server and going to Actions -> Instance State-> Stop. Create an image in the same menu by selecting Image -> Create Image. Give it a name and description, and Create Image. Wait for the process to finish. It takes a few minutes, so go grab a coffee.

Once complete, you can find your newly created image in the sidebar underneath Images -> AMIs. Select it and click Launch. Choose the appropriate settings for your desired setup, and in 3. Configure Instance be sure to select your VPC in the Network section. Then go ahead and adjust as necessary, and launch.

While your new instance is initiating, you can go reassign the Elastic IP address associated with the original. Make note of the current IP or instance ID associated with the original instance. Under Network & Security you can find Elastic IPs. Find the instance or IP that you recorded down, and in Actions click Associate Address. For the Instance field, select your newly created instance and check the Reassociation checkbox. Click Associate.

You’ll want to check this.

Once initialized, you should be able to connect to your new instance and VPC using the same Wireguard configuration.

Giving Access to Security Groups

Having your AWS instances in a single VPC doesn’t mean that they will automatically be able to connect to one another. You will need to create rules in other Security Group to allow your VPN instance to connect to them.

First find and record down the ID of the Security Group you created for your VPN instance. It should start with “sg-”. Then find and select the Security Group of your connected services or instances and edit its rules.

Fill in the appropriate ports you want to be able to route a connection to and for Source select Custom and enter the Security Group ID you wrote down. Add a informational description (i.e. VPN) and click Save. Do this as necessary for both Inbound and Outbound ports.

Then you’re done! Your Wireguard VPN should be able to connect to your secured instances, and you can remove any workarounds or rules allowing public access that you might have had before.