Port forwarding or port address translation (PAT) is a method of altering the destination port of traffic by using a forward proxy.
There are multiple possible reasons to use a PAT server for port forwarding. Here are just a few:
- Running multiple NAT’d servers with identical services competing for one port.
- Changing the default destination port to a more common port to bypass layer 4 firewall restrictions.
- Configuring round robin DNS where multiple AWS port forward servers can redirect traffic to one application server.
For this tutorial we will use Redshift deployed to a private subnet in AWS as our example.
In this scenario, we are on-prem, and outbound traffic on port 5439 is blocked by the corporate firewall.
To get around this restriction, we will configure our Multi-Port Forward Server to publicly listen on port 443, and forward the incoming traffic to Redshift on port 5439. All incoming traffic will be IP whitelisted to only allowing traffic from our organizational IP addresses.
Let’s assume the following network architecture:
- A VPC configured with a 192.168.0.0/16 CIDR range.
- Two subnets configured:
- One private, with no internet access (192.168.1.0/24)
- One public, with an internet gateway configured for internet access (192.168.0.0/24)
- A Redshift cluster deployed to the private subnet which will be listening on its default port, 5439.
- A Multi-Port Forward Server appliance deployed to the public subnet will be listening on port 443. Incoming traffic will be proxied to the Redshift server in the private subnet, destined for port 5439.
- The VPC security group needs to be configured to allow:
- Inbound ports 22 and 443 from an authorized IP address
- Inbound port 5439 from the public subnet into the private subnet
- And inbound traffic from the security group itself allowing internal VPC traffic
Here is an architectural diagram of the setup we’ve just constructed:
Once the networking is configured properly, we can deploy and configure the Multi-Port Forward Server appliance.
Steps to deploy the Multi-Port Forward Server are as follows:
- Deploy the AWS Multi-Port Forward Server (or alternatively, a single AWS Port Forward Server) appliance from the marketplace into your public subnet
- SSH into the Multi-Port Forward Server
- Edit the JSON entries to reflect your desired port forwarding configuration; multiple entries can be added to forward multiple ports to multiple servers
- Enter a custom key name for your entry (sshbastion, rdpbastion, etc.); this is can be set to anything
- Update the corresponding source ports (SPORT), destination ports (DPORT), and the destination hosts (DHOST)
- Save the portforward.config file
- Reboot the server
- Ensure that the AWS Security Group permits inbound traffic from the source IPs to the respective source ports
And that’s it! Your Multi-Port Forward Server should now be forwarding all incoming port 443 traffic to your Redshift cluster, deployed on your private subnet, listening on port 5439.
You can test this by connecting to your Redshift cluster by entering the public DNS of your Multi-Port Forward Server as the target host using psql:
psql -h ec2-3-89-128-232.compute-1.amazonaws.com -U testuser -d dev -p 443
As always, if you have any questions, feel free to drop us a line on our contact page.