Step by Step on How to Set Up a GRE Tunnel on AWS EC2
By: David PartowThis guide will go through the required steps in order to establish a gre tunnel between two linux hosts. Since AWS blocks broadcasting, setting up a GRE tunnel maybe a good method to create an artificial broadcast for certain applications. In addition, you may want to use an instance type which supports Enhanced Networking and to place the two instances into a placement group to achieve less latency between the two instances.
For this particular example, we will use an instance type which supports Enhanced Networking and is an EBS optimized-instance.
For more information about Enhanced Networking in AWS, refer to the following link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html
For more information about EBS-Optimized Instances, refer to the following link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html
Prerequisites:- Basic knowledge of Linux with compiling, AWS console and it’s CLI tools.
- VPC already built
- IAM account with Administrator access to EC2
- 2x AWS EC2 c4.8xlarge instances with Red Hat Enterprise 7.0 (HVM)
- Enhanced Networking feature
- 2x Elastic IP’s
Duration: 30-45 Minutes
1. Launch Red Hat Enterprise Linux 7.0 (HVM), SSD instances. – ami-8cff51fb
2. Choose the instance type: c4.8xlarge.
3. Change the number of instances from 1 to 2. — Select your VPC and subnet — Create a new Placement group and name it — Ensure EBS-optimized instance is enabled.
4. Accept or modify the default storage volume to your needs.
5. Name your instances. For this example, I have chosen GRE.
6. Create a new security group and name it GRE-SG. Allow SSH access from your system’s IP. e.g. External Office IP address or a security group containing VPN access.
7. Confirm the specifications for the instance and continue the next step with creating or using an existing keypair for your instances. Then launch your new instances. Once you see the instances are launched, you can proceed to assign the two instances Elastic IP addresses.
8. Assign an Elastic IP address for each instance so you will be able to access the instances over SSH. This is required if you do not have a VPN connection to your VPC.
9. Now you can connect to your instances over SSH. Open a terminal(MAC and Linux) or a Putty session(Windows).
10. Perform the following:
sudo su - yum update yum install rpm-build yum install wget yum install kernel-headers yum install kernel-devel yum install gcc reboot
11. SSH back into your instances.
sudo su - cd /tmp wget https://downloads.sourceforge.net/project/e1000/ixgbevf%20stable/2.16.1/ixgbevf-2.16.1.tar.gz rpmbuild -tb ixgbevf-2.16.1.tar.gz rpm -ivh /root/rpmbuild/RPMS/x86_64/ixgbevf-2.16.1-1.x86_64.rpm depmod cd /boot dracut -f rpm -qa | grep -e '^systemd-[0-9]+|^udev-[0-9]+' sed -i '/^GRUB_CMDLINE_LINUX/s/"$/ net.ifnames=0"/' /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg vi /etc/sysconfig/network-scripts/ifcfg-gre2
Add the following to the file…
ONBOOT=yes DEVICE=gre2 TYPE=GRE MY_INNER_IPADDR=192.168.255.1 MY_OUTER_IPADDR=Your EC2 IP address here PEER_INNER_IPADDR=192.168.255.2 PEER_OUTER_IPADDR=The other node EC2 IP address
Save changes and quit —> :wq!
At this point, you should perform the above steps on the second instance you have launched.
After all of the above steps have been completed on the second instance, you may now “Stop” both instances in the AWS Console or CLI.
Next, you should already have EC2 tools installed on your system. If not, you can follow the instructions per AWS. https://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/set-up-ec2-cli-linux.html#setting_up_ec2_command_linux
Once you have completed configuring your EC2 tools for AWS, you have to enable the Enhanced Networking feature through the CLI. At this time, you can not enable this feature through the AWS console.
Perform the following on your system after successful installation of AWS’s EC2 tools…
export EC2_HOME=/usr/local/ec2/ec2-api-tools-1.7.1.3/ export PATH=$PATH:$EC2_HOME/bin
If you do not already have an IAM account, please create one. For more information on how to create an IAM account, you can refer to the following link: https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SettingUpUser.html
The IAM account you created will need a user policy for Administrator Access on EC2.
export EC2_HOME=/usr/local/ec2/ec2-api-tools-1.7.1.3/ export PATH=$PATH:$EC2_HOME/bin
Now we can change the attribute for the instance to Enhanced Networking. Ensure both instances are in “Stop” state.
ec2-modify-instance-attribute <Instance ID> –sriov simple –region <Your region>
After executing the above command, a successful output will be…
sriovNetSupport <Instance ID> simple
You can now start both instances in AWS Console or the CLI.
SSH into both instances
From GRE-1 instance: ifconfig gre2
gre2: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8977 inet 192.168.255.1 netmask 255.255.255.255 destination 192.168.255.2 inet6 fe80::5efe:ac1e:2e5 prefixlen 64 scopeid 0x20<link> unspec AC-1E-02-E5-00-00-F0-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC) RX packets 6 bytes 420 (420.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6 bytes 444 (444.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
From GRE-2 instance: ifconfig gre2
gre2: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8977 inet 192.168.255.2 netmask 255.255.255.255 destination 192.168.255.1 inet6 fe80::5efe:ac1e:274 prefixlen 64 scopeid 0x20<link> unspec AC-1E-02-74-00-00-F0-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC) RX packets 3 bytes 252 (252.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6 bytes 444 (444.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
From GRE-1 instance, ping the GRE-2 tunnel IP and look at the low latency.
PING 192.168.255.2 (192.168.255.2) 56(84) bytes of data. 64 bytes from 192.168.255.2: icmp_seq=1 ttl=64 time=0.186 ms 64 bytes from 192.168.255.2: icmp_seq=2 ttl=64 time=0.191 ms 64 bytes from 192.168.255.2: icmp_seq=3 ttl=64 time=0.173 ms 64 bytes from 192.168.255.2: icmp_seq=4 ttl=64 time=0.170 ms 64 bytes from 192.168.255.2: icmp_seq=5 ttl=64 time=0.187 ms 64 bytes from 192.168.255.2: icmp_seq=6 ttl=64 time=0.161 ms
From GRE-2 instance, ping the GRE-1 tunnel IP and look at the low latency.
PING 192.168.255.1 (192.168.255.1) 56(84) bytes of data. 64 bytes from 192.168.255.1: icmp_seq=1 ttl=64 time=0.188 ms 64 bytes from 192.168.255.1: icmp_seq=2 ttl=64 time=0.155 ms 64 bytes from 192.168.255.1: icmp_seq=3 ttl=64 time=0.186 ms 64 bytes from 192.168.255.1: icmp_seq=4 ttl=64 time=0.157 ms 64 bytes from 192.168.255.1: icmp_seq=5 ttl=64 time=0.177 ms 64 bytes from 192.168.255.1: icmp_seq=6 ttl=64 time=0.165 ms
Congratulations! You have now established a GRE tunnel on AWS EC2 with optimal performance.