How to Set Up a GRE Tunnel Between Two Linux Hosts for AWS EC2


AllCloud Blog:
Cloud Insights and Innovation

Step by Step on How to Set Up a GRE Tunnel on AWS EC2

By: David Partow
 

This guide will go through the required steps in order to establish a gre tunnel between two linux hosts. Since AWS blocks broadcasting, setting up a GRE tunnel maybe a good method to create an artificial broadcast for certain applications. In addition, you may want to use an instance type which supports Enhanced Networking and to place the two instances into a placement group to achieve less latency between the two instances.

For this particular example, we will use an instance type which supports Enhanced Networking and is an EBS optimized-instance.

For more information about Enhanced Networking in AWS, refer to the following link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html

For more information about EBS-Optimized Instances, refer to the following link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html

Prerequisites:
  1. Basic knowledge of Linux with compiling, AWS console and it’s CLI tools.
  2. VPC already built
  3. IAM account with Administrator access to EC2
Requirements:
  1. 2x AWS EC2 c4.8xlarge instances with Red Hat Enterprise 7.0 (HVM)
  2. Enhanced Networking feature
  3. 2x Elastic IP’s

Duration: 30-45 Minutes

1. Launch Red Hat Enterprise Linux 7.0 (HVM), SSD instances. – ami-8cff51fb

2. Choose the instance type: c4.8xlarge.

3. Change the number of instances from 1 to 2. — Select your VPC and subnet — Create a new Placement group and name it — Ensure EBS-optimized instance is enabled.

4.  Accept or modify the default storage volume to your needs.

5.  Name your instances. For this example, I have chosen GRE.

6.  Create a new security group and name it GRE-SG. Allow SSH access from your system’s IP. e.g. External Office IP address or a security group containing VPN access.

7. Confirm the specifications for the instance and continue the next step with creating or using an existing keypair for your instances. Then launch your new instances. Once you see the instances are launched, you can proceed to assign the two instances Elastic IP addresses.

8.  Assign an Elastic IP address for each instance so you will be able to access the instances over SSH. This is required if you do not have a VPN connection to your VPC.

9.  Now you can connect to your instances over SSH. Open a terminal(MAC and Linux) or a Putty session(Windows).

10. Perform the following:

sudo su -
yum update
yum install rpm-build
yum install wget
yum install kernel-headers
yum install kernel-devel
yum install gcc
reboot

11.  SSH back into your instances.

sudo su -
cd /tmp
wget https://downloads.sourceforge.net/project/e1000/ixgbevf%20stable/2.16.1/ixgbevf-2.16.1.tar.gz
rpmbuild -tb ixgbevf-2.16.1.tar.gz
rpm -ivh /root/rpmbuild/RPMS/x86_64/ixgbevf-2.16.1-1.x86_64.rpm
depmod
cd /boot
dracut -f
rpm -qa | grep -e '^systemd-[0-9]+|^udev-[0-9]+'
sed -i '/^GRUB_CMDLINE_LINUX/s/"$/ net.ifnames=0"/' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
vi /etc/sysconfig/network-scripts/ifcfg-gre2

Add the following to the file…

ONBOOT=yes
DEVICE=gre2
TYPE=GRE
MY_INNER_IPADDR=192.168.255.1
MY_OUTER_IPADDR=Your EC2 IP address here
PEER_INNER_IPADDR=192.168.255.2
PEER_OUTER_IPADDR=The other node EC2 IP address

Save changes and quit —> :wq!

At this point, you should perform the above steps on the second instance you have launched.

After all of the above steps have been completed on the second instance, you may now “Stop” both instances in the AWS Console or CLI.

Next, you should already have EC2 tools installed on your system. If not, you can follow the instructions per AWS. https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/set-up-ec2-cli-linux.html#setting_up_ec2_command_linux

Once you have completed configuring your EC2 tools for AWS, you have to enable the Enhanced Networking feature through the CLI. At this time, you can not enable this feature through the AWS console.

Perform the following on your system after successful installation of AWS’s EC2 tools…

export EC2_HOME=/usr/local/ec2/ec2-api-tools-1.7.1.3/
export PATH=$PATH:$EC2_HOME/bin

If you do not already have an IAM account, please create one. For more information on how to create an IAM account, you can refer to the following link: https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SettingUpUser.html

The IAM account you created will need a user policy for Administrator Access on EC2.

export EC2_HOME=/usr/local/ec2/ec2-api-tools-1.7.1.3/
export PATH=$PATH:$EC2_HOME/bin

Now we can change the attribute for the instance to Enhanced Networking. Ensure both instances are in “Stop” state.

ec2-modify-instance-attribute <Instance ID> –sriov simple –region <Your region>

After executing the above command, a successful output will be…

sriovNetSupport <Instance ID> simple

You can now start both instances in AWS Console or the CLI.

SSH into both instances

From GRE-1 instance: ifconfig gre2

gre2: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8977
inet 192.168.255.1  netmask 255.255.255.255  destination 192.168.255.2
inet6 fe80::5efe:ac1e:2e5  prefixlen 64  scopeid 0x20<link>
unspec AC-1E-02-E5-00-00-F0-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)
RX packets 6  bytes 420 (420.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 6  bytes 444 (444.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

From GRE-2 instance: ifconfig gre2

gre2: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8977
inet 192.168.255.2  netmask 255.255.255.255  destination 192.168.255.1
inet6 fe80::5efe:ac1e:274  prefixlen 64  scopeid 0x20<link>
unspec AC-1E-02-74-00-00-F0-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)
RX packets 3  bytes 252 (252.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 6  bytes 444 (444.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

From GRE-1 instance, ping the GRE-2 tunnel IP and look at the low latency.

PING 192.168.255.2 (192.168.255.2) 56(84) bytes of data.
64 bytes from 192.168.255.2: icmp_seq=1 ttl=64 time=0.186 ms
64 bytes from 192.168.255.2: icmp_seq=2 ttl=64 time=0.191 ms
64 bytes from 192.168.255.2: icmp_seq=3 ttl=64 time=0.173 ms
64 bytes from 192.168.255.2: icmp_seq=4 ttl=64 time=0.170 ms
64 bytes from 192.168.255.2: icmp_seq=5 ttl=64 time=0.187 ms
64 bytes from 192.168.255.2: icmp_seq=6 ttl=64 time=0.161 ms

From GRE-2 instance, ping the GRE-1 tunnel IP and look at the low latency.

PING 192.168.255.1 (192.168.255.1) 56(84) bytes of data.
64 bytes from 192.168.255.1: icmp_seq=1 ttl=64 time=0.188 ms
64 bytes from 192.168.255.1: icmp_seq=2 ttl=64 time=0.155 ms
64 bytes from 192.168.255.1: icmp_seq=3 ttl=64 time=0.186 ms
64 bytes from 192.168.255.1: icmp_seq=4 ttl=64 time=0.157 ms
64 bytes from 192.168.255.1: icmp_seq=5 ttl=64 time=0.177 ms
64 bytes from 192.168.255.1: icmp_seq=6 ttl=64 time=0.165 ms

Congratulations! You have now established a GRE tunnel on AWS EC2 with optimal performance.

Monica Avellino

Marketing Lead, Israel

Read more posts by Monica Avellino