Establish a Secure VPN to your Cloud Resources
Before the advent of general cloud computing, organizations secured their IT resources behind physical and logic access layers, generally in the form of a “Virtual Private Network” (VPN) that allowed secure segregation of traffic from externally connected computers. Solutions abounded to support this model including both software and hardware approaches. Cloud computing has enabled extensive economies of scale for organizations of all sizes, but the VPN concept remains: A way to secure organizational traffic and resources for computers outside the established security perimeter. The modern solution provides a physical boundary (VPN) that allows for a private driveway to your company’s resources.
The challenge can be stated this way: Since all resources in the “Cloud” are accessible through public internet, how can we ensure the resources that need to be utilized within our organization’s boundaries are available only for Authorized users? The challenge has been met by Innosoft with the implementation of an AWS VPN Client.
Amazon describes the solution this way, “AWS Client VPN is a fully managed remote access VPN solution used by your remote workforce to securely access resources within both AWS and your on-premises network. Fully elastic, it automatically scales up, or down, based on demand. When migrating applications to AWS, your users access them the same way before, during, and after the move. AWS Client VPN, including the software client, supports the OpenVPN protocol.”
Since AWS Client VPN enables you to securely connect users to AWS networks, we have decided to leverage the same for our internal “Intranet” applications.
To enable the VPN Connectivity to the intranet applications, we followed the following steps:
- Setup a Private VPN for intranet applications.
- Secure the resources under the private subnet including EC2 instances.
- Create a client VPN connection.
For creating the Client VPN connection, we followed the steps described below.
1. Create a Server certificate for the domain.
2. Create an active directory authentication or Federated identity authentication.
- Note: There is also “Mutual” authentication involving certificate exchange. This is less preferable method to the active directory integration.
3. Select the VPC for which the VPN connection pertains to.
4. Setup the associations and the Authorization rules.
Once we setup the VPN Client, we can download the configuration for the VPN client. This configuration file can be used in any of the OpenVPN compatible clients.
One such client is the AWS VPN Client (AWS Client VPN Download | Amazon Web Services)
Using this client, we can successfully connect to the underlying resources in VPC which would not be accessible without VPN.
AWS SSO with Active Directory
Innosoft decided to use the Active Directory Authentication since our goal was to move towards Single Sign on (SSO). As it turns out, we were able to accomplish both the VPN and the SSO at the same time.
To setup the SSO accounts:
1. Setup the Identify provider
We have chosen to use AWS SSO as the identity provider since we do not want to move everyone yet into the SSO.
2. Configure the Users, Groups and Policies for the AWS Resources.
3. Manage the applications that can utilize the SSO
4. Enable Multi Factor Authentication for more security.
Once Setup, we can then utilize the applications using the “Configured” URL.
We should also enable a Self-service portal for VPN users. This will enable them to download the Client configuration to setup the VPN clients.