I need a serverless server to run shadowsocks or wireguard server, but I won’t use it often, is there a way to create a serverless server, when I try to connect this server, it start and serve, if no traffic for 30min, it turns off?
I have to trigger this use url or something else since if no vpn I cannot connect to AWS.
You should be able to do this with ECS Fargate, and maybe a Lambda function + function URL to start/stop the service
What’s your budget? You can set something like this up with the Client VPN (not shadowsocks or wireguard) and basically have it on when you need it, billed on hourly usage + the cost of a NAT gateway. Did this recently and it works well but can be a bit expensive depending on your use case.
Yes infact I built one https://ServerlessVPN.com (Or https://UpVPN.app )
https://www.subaud.io/blog/cdk-minecraft-deployment
This does that except for creating a Minecraft server instead of a VPN server. Same concept though.
Assuming you need to connect to a VPC anyway, serverless probably isn’t very beneficial here compared to the actual VPN stuff AWS already provides. You’ll still need to do the networking side of things anyway.
I’ve run Wireguard under Ubuntu on a t4g.nano and was able to push the limit of my internet connection (800Mbps). That’s about $3-4 a month to just leave it on all the time. Plus it gets you into a VPC.
I’m not sure you’ll do much better with anything serverless. Not unless you’re running hundreds of them.
use this: https://github.com/sshuttle/sshuttle with SSM proxyhttps://carriagereturn.nl/aws/ssh/ssm/2021/01/03/tunnel-into-vpc.html
there will need to be a machine that is running in order to do this, but I assume you are trying to tunnel in to do something with an existing machine; this is the machine that should run SSM.
You can avoid all of this together and just port forward directly from SSM without installing any additional packages.
how about a url with cognito to auth with my identity, then trigger a fargate task?
use a nat instance instead of gateway, it will be cheaper
Why do you need any kind of a NAT. The traffic back to the caller is going thru the ENI linked to the VPN, isn’t it?
What’s your budget?
as less as possible, better only need pay for egress traffic
Sure, you could do that. Either validate the identity in your Lambda function, or use API Gateway instead of a function URL and use the cognito auth provider for REST APIs
True, but at that point it isn’t serverless.
From my knowledge, that should be the path back, but if you need a static IP the only way to do that is with some kind of NAT solution.
If you’re going as cheap as possible, do what someone else said and run something like OpenVPN on a nano instance and avoid serverless altogether. Client VPN + NAT Gateway will easily run you at least $80-$100 a month and that’s not including egress traffic.
neither is nat gateway
Technically, I think client VPN DNS entry is actually more of an AWS service endpoint and the ENI is just the VPN’s entry point into the private VPC.
I’d qualify anything that I don’t have to run updates on as serverless, but technically you’re correct.
I just realized I missed the last sentence saying that this is just to get into the VPC. In that case, you are 100% correct that no NAT is needed, and the VPN endpoint is the entry into the VPC.
My assumption was that this is going to be used as a traditional type of VPN that would need egress to the internet.