Cato Networks Knowledge Base

Search

Configuring an AWS vSocket Site

  • Updated

Overview of AWS vSockets

You can connect your AWS VPC to Cato using an IPsec tunnel or a virtual Socket (vSocket). This article describes how to deploy a (vSocket) on an EC2 instance.

The vSocket provides these advantages :

  • Bandwidth management control and QoS

  • Maximizes connectivity to PoPs in the Cato Cloud

  • Support for high availability configurations

For more information about vSocket and IPsec sites, see Selecting the Connection Type for a Site.

This article assumes that you already have a VPC in your AWS environment.

Prerequisites

  • Contact Cato Support and open a ticket for the Amazon AMI Request. Make sure that you provide the AWS account ID and region for the vSocket

  • You must have admin permissions to the AWS dashboard and the Cato Management Application

  • Make sure the environment meets the requirements listed inĀ Cato Socket Connection Prerequisites

AWS Limitations

AWS doesn't support these networking features:

  • VLAN ranges

  • DHCP ranges

High Level Overview of Creating the AWS vSocket

  1. In the Cato Management Application, create a new site for the AWS vSocket.

  2. In AWS, create the virtual network resources for the vSocket instance.

  3. Launch the vSocket instance from the Cato AMI image that you received from Support.

  4. Verify that the vSocket is connected to your account.

Creating the vSocket Site in the Cato Management Application

Create the AWS vSocket site in the Cato Management Application, and the serial number for the vSocket is generated. This serial number is used when you launch the EC2 instance.

The Local IP for the vSocket must be the same as the IP address for the LAN interface on the EC2 instance. The first three IP addresses of the subnet are reserved by the VPC.

After you create the site, the Cato Management Application automatically generates a unique serial number for the new vSocket. You need to enter this serial number when you launch the EC2 instance (see below Launching the Instance with the Cato AMI).

Creating a New AWS Site

To create the site for the AWS vSocket:

  1. In the Cato Management Application, from the navigation menu select Network > Sites.

  2. Click New. The Add Site panel opens.

    awsSocketsite.png

  3. Configure the General settings for the site:

    1. Enter the Site Name.

    2. Select the Site Type. This option determines which icon is used for the site in the Topology window.

    3. Select vSocket AWS for the Connection Type.

    4. Configure the Configure the Country, State, and Time Zone to set the time frame for the Maintenance Window. Country, and State.

  4. Configure the WAN Interface Settings, including the Downstream and Upstream bandwidth according to your ISP bandwidth.

  5. Configure the LAN Interface Settings, including the Native Range for the AWS site. This setting must be the same as the LAN subnet IP range in AWS (see below Creating the MGMT, WAN, and LAN Subnets).

  6. Click Apply. The site is added to the Sites list.

Copying the vSocket Serial Number

The Cato Management Application automatically generates a unique serial number for the new vSocket. You need to enter this serial number (S/N) is used during when you launch the EC2 instance (see below Launching the Instance with the Cato AMI).

To copy the serial number:

  1. From the navigation menu, select Network > Sites, and select the site.

  2. From the navigation menu, select Site Settings > Socket.

  3. Copy the S/N for the vSocket.

    You need to enter this serial number when you launch the vSocket instance.

Creating the AWS Virtual Resources

Create these virtual resources for the vSocket instance:

  • Internet gateway

  • Three subnets - WAN, LAN, and MGMT

  • Security group(s) to manage inbound and outbound communication

  • Three interfaces (ENIs) - WAN, LAN, and MGMT

  • Two route tables - Internet and LAN

  • Two Elastic IPs (for WAN and MGMT interfaces)

Note

Note: You can automate the deployment of your virtual resources with an AWS CloudFormation template. See below Automating AWS Virtual Resources Deployment.

Defining the Internet Gateway for the VPC

Use the AWS Virtual Private Cloud (VPC) dashboard to create a new Internet gateway and attach it to your VPC.

01_VPC_Dashboard.png

To create the new Internet gateway and attach it to the VPC:

  1. From the VPC dashboard, in the navigation menu select Virtual Private Cloud > Internet Gateways.

  2. Click Create internet gateway.

  3. In Name tag, enter the name for the Internet gateway.

  4. Click Create internet gateway. The VPC dashboard shows the details for the Internet gateway.

    01a_Attach_IGW.png

  5. From the Actions drop-down menu, select Attach to VPC.

  6. In the Attach to VPC window, in the Available VPCs section, select the VPC.

  7. Click Attach internet gateway. The Internet gateway is attached to your VPC.

Creating the MGMT, WAN, and LAN Subnets

Create these subnets in the AWS and then they are automatically attached to the VPC:

  • MGMT subnet

  • WAN subnet

  • LAN subnet - this is the same as the Native Range for the site.

Make sure that all the subnets are in the same AWS Availability Zone.

02_CreateSubnet.png

To create the subnet for the AWS vSocket:

  1. From the VPC dashboard, in the navigation menu select Virtual Private Cloud > Subnets.

  2. Click Create subnet.

  3. From the Create subnet window, in the VPC section, select the VPC ID.

  4. Configure the settings for the subnet:

    1. Enter the Subnet name.

    2. Select the Availability Zone for the subnet.

    3. Enter the IPv4 CIDR block for the subnet. For the LAN subnet - this is the same value as the Native Range for the site.

  5. To add additional subnets, click Add new subnet and repeat the previous step 4.

  6. Click Create subnet. AWS creates the subnets and attaches them to the VPC.

Configuring the Security Groups

Make sure that the security groups rules for the LAN, WAN, and MGMT traffic, meet these requirements:

  • Outbound rules - allow the following ports for the WAN and MGMT subnet so the traffic can reach the Cato Cloud

    • HTTPS - TCP port 443 to destination ANY

    • DTLS - UDP port 443 to destination ANY

  • Inbound rules - in some troubleshooting scenarios, you may need to temporarily open ports TCP/22 and TCP/443 from a specific IP address to the MGMT subnet

Creating the MGMT, WAN, and LAN Interfaces

Create the MGMT, WAN, and LAN interfaces for the vSocket for the EC2 instance. Use the EC2 dashboard to create the interfaces.

Set the Custom IP address for the LAN interface to the same IP address as the Local IP for the Native Range.

You need to disable AWS source/destination checking on the LAN interface to allow the EC2 instance to perform traffic forwarding.

Note

Note: To ensure proper vSocket behavior, make sure that you enable the DHCP options for the VPC are enabled and that they provide the DNS settings.

04_LAN_NIC.png

To create the network interface (ENI):

  1. From the EC2 dashboard, in the navigation menu select Network & Security > Network Interfaces.

  2. Click Create network interface.

  3. In the Create network interface window, select the LAN Subnet.

  4. (Optional for the LAN interface) In Private IPv4 address, click Custom and enter the Local IP for the Native Range.

  5. In Security groups, select the appropriate security group for the interface.

  6. Click Create network interface. AWS creates the interface.

  7. Repeat the previous steps for the WAN and MGMT interface.

  8. For the LAN interface, disable AWS source/destination tracking:

    1. In the Network Interfaces window, right-click the LAN interface and select Change source/dest. check.

      05_LAN_INT_source-dest.png

    2. In the Change source/destination check window, clear Enable.

    3. Click Save.

Creating the Route Tables

Create new or use existing VPC route tables for the vSocket traffic:

  • Private route table for the LAN subnets

    • Attach the LAN subnet

    • Define the Socket LAN ENI as the target (next hop) for the default route

  • A single Internet route table for the MGMT and WAN subnets. This route table is used to provide connectivity between the vSocket and the Cato Cloud resources.

    • Attach the WAN and MGMT subnets

    • Define the Internet Gateway as the target (next hop) for the default route

To create the Internet and LAN route tables:

  1. From the VPC dashboard, in the navigation menu select Virtual Private Cloud > Route Tables.

  2. Click Create route table.

  3. In Name tag, enter the name for the Internet or LAN route table.

  4. Select the VPC for the vSocket.

  5. Click Create. The route table is added to the VPC.

  6. Associate the WAN and MGMT subnets to the Internet route table, or the LAN subnet to the LAN route table.

    1. Right-click the route table and select Edit subnet associations. This is an example of the Internet route table.

      06_Internet_route_table.png

    2. In the Edit subnet associations window:

      • For the Internet route table, select the MGMT and WAN subnets

      • For the LAN route table, select the LAN subnet

    3. Click Save. The subnets are associated with the route table.

  7. Add the default route to each route table (first configure the Internet route table and then the LAN).

    1. Right-click the route table, and select Edit routes. The following screenshot shows the Internet route table:

      06_InternetGW_route.png

    2. Click Add route.

    3. Set the Destination for the new route to 0.0.0.0/0.

    4. In Target, select the next hop for the Internet or LAN route table:

      • For the Internet route table, select Internet Gateway and choose the Internet gateway for the VPC

      • For the LAN route table, select Network Interface and choose the LAN ENI. The following screenshot shows the LAN route table:

      LAN_RouteTable.png

    5. Click Save changes.

    6. The window shows that the route was successfully created, click Close.

  8. Repeat the previous steps for the LAN route table.

Associating Elastic IP Addresses with an Interface

Create and associate Elastic IP addresses with the WAN and MGMT interfaces. You can use a public IP address that is allocated from Amazon's pool of IPv4 addresses.

To allocate an Elastic IP address:

  1. From the EC2 dashboard, in the navigation menu select Network & Security > Elastic IPs.

  2. Click Allocate Elastic IP address.

  3. For the Public IPv4 address pool, select Amazon's pool of IPv4 addresses.

  4. Click Allocate. The Elastic IP is allocated.

  5. Select the Elastic IP, and select Actions > Associate Elastic IP address.

    07_associate_Elastic.png

  6. In the Associate Elastic IP address window, in Resource type, select Network interface.

  7. In Network interface, select the WAN or MGMT interface.

  8. Click Associate. The Elastic IP is associated with the interface.

  9. Repeat the previous steps for the MGMT interface.

Automating AWS Virtual Resources Deployment

In AWS, you can use CloudFormation templates for a quick and easy deployment of your virtual resources for the vSocket.

An example template for use is available here. This template can be used for a vSocket deployment.

The following are prerequisites to run the template:

  • You must submit a ticket to Cato Networks' Product Support in order to obtain the EC2 AMI for the Virtual Socket.

  • You must have an existing keypair or create one before you can execute the CloudFormation Stack template.

  • You must have a "Serial Number" for the Virtual Socket which can be obtained after creating the Site in the Cato Management Application.

To use the example CloudFormation template:

  1. Download the template yaml file attached to this article.

  2. Open the AWS console.

  3. Navigate to Services > CloudFormation.

  4. Click Create Stack.

  5. Choose Template is ready and upload the template file.

  6. Give the Stack a name and enter the values for each of the virtual resources.

  7. Click Next and Submit. The automated deployment will now run.

image.png

Configuring the EC2 Instance for the vSocket

After you create all the virtual resources that are necessary for the vSocket, launch the EC2 instance from the Cato vSocket AMI to create the vSocket.

Launching the Instance with the Cato AMI

Launch the EC2 instance using the vSocket AMI that you received from Cato Support.

Note

Note: To add the vSocket AMI to your AWS account, contact Cato Support and open a ticket for the Amazon AMI Request.

Make sure that the EC2 instance meets these requirements:

  • 4 vCPUs

  • 8 GB RAM (8 GiB)

  • 4 ENIs (network interfaces)

The following EC2 instance types are certified for vSockets:

  • c5.xlarge

  • c5n.xlarge (Suggested for higher performance sites with bandwidth above 2Gbps)

You need to enter the serial number (S/N) for the AWS site in the Cato Management Application to the AMI wizard.

To launch the EC2 instance:

  1. From the EC2 dashboard, in the navigation menu select Instances > Instances.

  2. Click Launch instances.

  3. From the Step 1: Choose an Amazon Machine Image (AMI) window, select My AMIs.

  4. In the Ownership filter, select Shared with me.

    AMI_step1.png

  5. Find the VSOCKET-AWS-<version number> AMI, and click Select.

  6. From the Step 2: Choose an Instance Type window, select the instance type and click Next: Configure Instance Details.

  7. From the Step 3: Configure Instance Details window, configure these settings for the vSocket instance:

    AMI_step3_subnet.png

    1. In Network, select the VPC.

    2. In Subnet, select the MGMT subnet.

    3. In the Network interfaces section, for eth0 select the MGMT ENI.

    4. In the Advanced Details section, in User data enter the S/N for the AWS site.

      AMI_step3_advanced.png

      In the example above, the S/N is: A1-B2-C3-D4-E5-F6.

    5. Click Next: Add Storage.

  8. From the Step 4: Add Storage window, configure these settings for the SSD:

    • Size (GiB) - 16

    • Volume Type - General Purpose SSD (gp2)

  9. Click Next: Add Tags, and then click Next: Configure Security Group.

  10. From the Step 6: Configure Security Group window, select the WAN security group.

    1. In Assign a security group, choose Select an existing security group.

    2. Select the appropriate security group for traffic to the MGMT interface. For example, you can choose the MGMT security group.

    3. Click Review and Launch.

      If you see a warning message regarding port 22, you can ignore this message. Port 22 is only needed to troubleshoot the vSocket.

  11. From the Step 7: Review Instance Launch window, review the settings and click Launch.

  12. In the Select an existing key pair or create a new key pair window, use an existing key or create and download a new one.

  13. Click Launch Instances.

Attaching the Interfaces to the vSocket Instance

After the vSocket instance launches, the MGMT interface is attached to it. Stop the instance and then attach the remaining WAN and LAN interfaces to the instance.

Note

Note: Make sure that the EC2 instance is stopped and that first you attach the WAN interface first, and then the LAN interface.

To attach the interfaces to the vSocket instance:

  1. From the EC2 dashboard, in the navigation menu select Instances > Instances.

  2. Right-click the vSocket instance and select Stop instance.

  3. In the confirmation window, click Stop. Refresh the window and confirm that the Instance state is Stopped.

  4. In the navigation menu select Network & Security > Network Interfaces.

  5. Attach the WAN and LAN interfaces to the instance:

    1. Right-click the WAN interface, and select Attach interface.

    2. In the Attach network interface window, in Instance select the vSocket instance.

    3. Click Attach.

    4. Repeat the previous three steps for the LAN interface.

Completing the vSocket Installation

After you attach the interfaces to the vSocket, start the instance and confirm that it connects to the Cato Cloud. After the vSocket connects to the Cato Cloud, it automatically updates to the newest Socket version.

To complete the vSocket installation:

  1. From the EC2 dashboard, in the navigation menu select Instances > Instances.

  2. Right-click the vSocket instance and select Start instance.

  3. In the Cato Management Application, select My Network > Topology.

  4. Confirm that the AWS site is connected to the Cato Cloud.

Connecting to the Socket WebUI

If you need to log in to the Socket WebUI, use these settings:

  • Use the MGMT Elastic IP address as the public IP address for the vSocket

  • Username is admin

  • The default password is the Instance ID for the vSocket EC2 instance

Routing Traffic to the EC2 Instances

If your application EC2 instances are associated to a non-Native Range subnet (a subnet which is not the vSocket LAN interface subnet), in the Cato Management Application add a routed range in the Networks section for the site.

To route traffic to the EC2 instance:

  1. From the navigation menu, select Network > Sites, and select the site.

  2. From the navigation menu, select Site Settings > Networks.

  3. In the LAN section, click New. The New IP range panel opens.

  4. Enter the Name for the IP range.

  5. Set the Type of range to Routed.

  6. Enter the Subnet IP Range.

  7. Set the Gateway IP to the VPC router, which is the first host IP address of the Native Range subnet.

  8. (Optional) Configure the Static NAT for the range.

  9. Click Apply. The range is added to the Networks screen.

awsiprange.png

The screenshot above shows these sample settings for the Routed range:

  • Native Range - 10.0.2.0/24

  • Routed range - 10.0.26.0/24

  • Gateway IP - 10.0.2.1

Was this article helpful?

4 out of 4 found this helpful

Comments

0 comments

Please sign in to leave a comment.