AWS and Azure Multi-Port Forward Setup and Configuration
What
Port forwarding or port address translation (PAT) is a method of changing the destination port of network traffic by using a forward proxy.
Network address translation (NAT) is the process of redirecting inbound network traffic destined for an exposed public IP address, to internal private non-routable IP addresses. The process is then reversed when the internal IPs communicate with external IPs.
Why
The Multi-Port Forward Server serves both purposes of NAT-ing at PAT-ing when multiple streams of traffic need to be redirected. This is especially useful in the following scenarios:
- Numerous internal servers listen on the same port, but must all be internet-exposed on a single IP address
- Only one IP address can be whitelisted but multiple external hosts need to be accessed
- Access to internal systems is needed externally, and traffic must traverse on port 443 or 80 to bypass a network firewall dropping all other ports
How
For this tutorial we will deploy a single Multi-Port Forward Server that redirects inbound traffic to multiple hosts internally and externally.
Let’s assume the following network architecture:
- A VPC or subscription configured with a 172.31.0.0/16 CIDR range
-
Two subnets configured:
- One private, with no internet access (172.31.1.0/24)
- One public, with an internet gateway configured for internet access (172.31.0.0/24)
' width='769' height='97' xlink:href='data:image/png%3bbase64%2ciVBORw0KGgoAAAANSUhEUgAAAEAAAAAICAYAAABJYvnfAAAACXBIWXMAAAsSAAALEgHS3X78AAAEl0lEQVRIx41T2W4bRxDUx%2bYpv5A/CZAAeTOQGLBsixJFURQp3jeX3OW5973ci4coyZZV6ZklHcPI9dDomenq6uqembMoirBJY8RxhDAMkaQpdrsd9vs90iThZwzDLI7jr%2bvNZoPtdsuxCeGib2L/ZYznxJVSPV6LPKuVnYcZ5//k%2bzv%2bk2cak2Mf8XecLH6mWw5%2b/G2GhmgiClyUikXkC0UUCgWI0hRBEMBxXXieB1XV%2bL7X6%2bK6cI18Po/SXRml0h3K5TIcx4XremTuP5rv%2b1itVjBME8vFApdXV8jlchgMRwjWIRRVzWp023h3/h6dbhce5fwb56km02jbNgzDJC02LnMXuMoXUK1WUK7c4%2b3vb1BvdvgwLMsinIEzVdPw67WI0VSBYxkQRkM0mw20W01Mp1MCmjB0HaahQ1MVvpfEMVrNJsd0Oh0MB32eZxKhYWRY7s3T3oBFa/MYUxWFODXIqyXa7RZqtSpEccK51WONqSRhPBYgSWLGSxpOOr4341SPeeLVjzahfGE0Ir0TDIcDdDstzObzTBfDaCrOTHeNaB3AJm84a9h%2bDD/akG35mp2ZThYz3ZB7d53yeJDs4YcbvvfI67YPy4sIE3Csanrc65YP1XCz8yMPq8uw62iPgLjcIIHlRsd8qhGQjjCBQxp0pssL4ZDpdqblZCxmEZ914jz6jD9b237Ee2E6v%2b2Fxc7czQt%2b%2bEXCpRAjfQTKzRE%2bFGp4mytBdrYID4C/A4Jd5sMHoC8pOM9XcXlbx01tiJv7Dj5cV/CxUMUfuTJyxRpytw3kKz3k71q4vu9T/B6C7CGmGt72FRHxzNYRLhUB75ZdshbOV32sCMB0CMYB1%2bMEbXmP816Ei2GMWzFFkexW2uDjIMKVkOB9P0JhkuJiEKNFWJ/6CfaAFT2j0ZNQHyxQaYuodyfkJ1xTrtiEnbxgTbgzL/2EysTFgppd717gxE%2bQ7RiKQ7dKsWD7QqSfvxrb694WKzOC6qbQaK37W55jrg/kE8pNYJAKi6ZnUhUnfuYYnSboU77HuV5gJQes6JZX9Hrko9npM69hhM9YuAdYLJfWsv8IJXiCtn6CSl4Pn2BGz9zr7IyMNc1qMp1u8gyD6rG95m2gUj9ME9PAtJz6oQF8xs8lGx1lh3j/Bd3xkm5Y5X4wt%2bnmv5Dov4ztl%2bYazeEcvYmMwdTAcKqiM16h2hYoT0ZjMEdfVDCYGegIK7T6Eu4aIxL%2bSFN/pRdA09%2b9Qot3GHoOWraGhiWjaWkwSHhEGNl/wkB/wNQ%2b4H6WoiMTVtvTLW/RJa21%2bYZexw7laRZrLLeYWAd%2biQFx2zS40UwnfTr1o0FUPExlh3Qv0CLz2EuhfvgAfnojoSRFSA6vGFJSoz9Dqd5HU1D4M8maf%2bWefQFhYaBYG6BKz6ren6M9mqNFjVaaQ9R6U2p2SM9NoDMZXRpSg3D3HRFG9OkrX0h%2bGca4M%2ba40SQUNRG3%2bgxK8oiEaoj2I29OMB5QpWbvpJSa3KG12qFJxs7Yvk6Nt2S232JsHviNs%2b9qRzRAuoTRwkabtLFBjKYafYk5qh0JDvXNBvUnAsFC0sI/jO0AAAAASUVORK5CYII=' /%3e%3c/svg%3e)
- A Redshift cluster deployed to the private subnet which will be listening on its default TCP port, 5439
- An Ubuntu server deployed to the private subnet listening for inbound SSH connections on TCP port 22
-
A Port Forward Server appliance deployed to the public subnet will be listening on TCP ports 443, 80, 53, and 22
- Inbound TCP traffic on port 443 will be proxied to the Redshift server in the private subnet, destined for port 5439
- Inbound TCP traffic on port 80 will be proxied to the Ubuntu server in the private subnet, destined for port 22
- Inbound TCP traffic on port 53 will be proxied to portquiz.net, an external host listening on port 3389
' width='1347' height='71' xlink:href='data:image/png%3bbase64%2ciVBORw0KGgoAAAANSUhEUgAAAEAAAAADCAYAAAAjpQkcAAAACXBIWXMAAAsSAAALEgHS3X78AAABcUlEQVQoz11S2Y7EIAyb///CfdhLmmkpUEpPetcbp9vZI1IEJHGIDbchJSzLgiSrMQVirPU8z/PTeR6GAb34sszwZYB1Hs6XCFXU/PSvvus6FNZJbanOevbo%2bl7zoapgr7z0iXX9zMUYFRtCBVNY6dVjXVedrZDzI8uln0MpczB24WrpkQsH5s77ElqZg7m2bRXLeCUzKx/B3SjALAXjOKoAlTTc9x3btv1xEksq1qwXF0UBJ0M2cumxb9jXBdu6/AjWD1IjIlmP0pOIe97DPIcgOZLPcoNSyCbJkWgl4jBGAUiIBE8Bop7pFIjrhbtIGmsVx0eiANcDk6wT8sQ1badciLtN04wDwDRNMFmmQ1lpYoTg/ZEpUe75YrRNxAnDAtudfo8jXn2Pj3JAXo%2bap9nO4K18ge%2bt7tOU8Pr%2bqb/oOA59Le%2b9rA0uY5zOn3X5RYTGn0AM4xTyN47WNI2QdMohhPOX7t/zsJ7CUETWME/7Aulo3xM%2bZLxcAAAAAElFTkSuQmCC' /%3e%3c/svg%3e)
-
The VPC security group or subscription NSG needs to be configured to allow:
- Inbound ports 443, 80, 53, and 22 from an authorized IP address
-
Inbound ports 5439 and 22 from the public subnet into the private subnet
' width='1155' height='233' xlink:href='data:image/png%3bbase64%2ciVBORw0KGgoAAAANSUhEUgAAAEAAAAANCAYAAAAZr2hsAAAACXBIWXMAAAsSAAALEgHS3X78AAAEWUlEQVRIx92W2bLiRgyGef93Sio3SSpJzaQmmbOw23gBbDC22cyq6BNuxnA4NUlqchNTKnCrpdby/2pa3U5Hvvv%2bB/nw4aP88utv8umPP%2bXnH3%2bSj79/km1VyX6/l91u97%2bV1mQykefnF%2bl0u9LpdGUUhEJRBkNftlsKcGtAQd4rilt/pG/q7uXvBPrI7ltI63Q6SfNx7%2bfz2TYcDgc5Ho8m90EdjwfTY4O%2beqO/2OGn%2bkqCbq%2bT5rn8rv4rBEynU/n8/Cp5UV4CVdgjKMuylF5/IL3BUDx/JKv1%2blI5DagoCtOFYaTo6YsfRBao61a5LKXd7SmShlKUyy8IuO%2bs2iwWC/XRU39DeXlty9APJElSaSsiO33ODq4x/VPZf60Au10l2SK3QFwCTqpqZ0kv8lzyvLB3lwgBoVurzGbzi48GnNEXWlSKuNvtDVGPUOT2LpdLLVRpcvG7MXuKxzsoc3JFir0fb9av3%2bfTu%2bfdFCBRBMD3fr%2bvXVtd4c9TbbfWYQpj63xqHcYDRQbJuwed02PDfJlMppKmMxl6vkynyZd9jXM2mqDnX/RhGMtIf4/VNo5imehaHI8lCkOdT5HFE6tP4o7jWMJ4omuh%2bR/rOjFNk6kMh57Z3pz3QFplWahBKvMss6nf5B%2bdyRSedPBQrzd1wHS1Wl1tDg1b0JBlC5NcEUQR8LXfH97s3WqhoSJ7iSNNU0PCfJ4Z%2bmbzuf5WUT10yZV%2brGe6lzX2occGH6COxpSKqpvYHkhrPJ5It9c3iLvErjxWR4PBQOG5uoE%2bDjmcuQDk7vnJXqjheZ4iS%2beAdodZ0G53jOvrzeY6b6AeBUIHCvrawa7uoYN9nTG%2b70mgNxN%2bevYemF9/NLLze72uFCC3HtrNBt5T%2biEF8nyhFc5uOaQCbKpqa7AEAcapho6u0VHjdpOf9TfB0IU0TayD%2bJkmicESnTvP%2bUIH59PZTLsJWgpDA2fQ4URRYb9rFCDETceLeoDf3CJ3t8p70lroIeNJcsPjU4PnwBzn9xw3eujhdnXW603BOVAej8eW9EQhHih/mQmHOnF35W4UEaNRIJFy3WaGchhuR9FYYrWPdBZEyndokiQz476v%2b%2bE88yFU/el0ln/ztAgQqAEnqMD0NXjUFPB1fak8d/Cv6n%2bHXIMcDoTdevMKhQJAd6RQJXH8AGvOgQLOn/MFRUh2FAS2hySxx%2bYyECPzw7CjICAGGqALdR/2Q%2b9Cl57mwT5snz4/qV1o9GKA%2brrOnz2ozXcrVyjh5HLV5Za4G3ZAk%2bHC9efWmoOLudFcbwoJMidms/Q6pKABtEDHnn3ti2JZ5xX%2bCMmxDxt8MPRAE2uJfc9qCsyNFrzbmsa/0OuY33MbwJnZUGDoRH5ZbUNMDMkWjgcDzyDWpAHPVjtFJfkX9kanBXhtd6/0uH9IEFgPtdLAlW4w3Pp61vVarX1xk/Cnx3UYRNJJzxvJ09OLNQhUWMd1aONruVrLt3j%2bAtIqgKRBMM0sAAAAAElFTkSuQmCC' /%3e%3c/svg%3e)
Here is an architectural diagram of the setup we’ve just constructed:
Now that the infrastructure is setup, we're ready to deploy the Multi-Port Forward Server into the public subnet.
How to deploy the Multi-Port Forward Server:
- Deploy the AWS Multi-Port Forward Server or Multi-Port Forward Server for Azure appliance from the marketplace into your public subnet
- If in AWS, disable source and destination checks on the instance, more info here
- SSH into the Multi-Port Forward Server
- Open the /etc/multiportforward/multiportforward.config file with vim or nano and update the SPORT, DHOST, DPORT and PROTOCOL entries (source port, destination host, destination port and connection protocol respectively) in JSON format; key names should be descriptive and should not contain any spaces
- Save the multiportforward.config file
- Reboot the server
And that’s it! Your Multi-Port Forward Server should now be forwarding:
- All incoming port 443 TCP traffic is being directed to your Redshift cluster, deployed in your private subnet, listening on port 5439
- All incoming port 80 TCP traffic is being directed to your Ubuntu SSH server, deployed in your private subnet, listening on port 22
- All incoming port 53 TCP traffic is being directed to an external RDP server, listening on port 3389
You can test the connection to your Redshift cluster by entering the public DNS of your Multi-Port Forward Server as the target host using psql:
psql -h ec2-12-34-56-78.compute-1.amazonaws.com -U awsuser -d dev -p 443
Again, the same host name can be used to verify the connection to your internal Ubuntu SSH host:
ssh -i ~/.ssh/Ubuntu.pem ubuntu@ec2-12-23-34-78.compute-1.amazonaws.com -p 80
And similarly, use the same hostname when connecting via remote desktop.
Video:
