Keeping in line with the principals of a Well Architected Review (WAR), we are constantly challenged by our customers to help evolve their requirements into repeatable and automated patterns deployed in their AWS environment, using the latest AWS has to offer in its growing list of managed services. In this case, a research wing of a global industrial firm wanted a solution to replace their current VPN and bastion host solution with access control topping the list. The answer: AWS Client site VPN.
Prior to this ask, the customer had used and evaluated a few VPN solutions such as OpenVPN and StrongSwan. However, the customer desired a better approach towards deployment, moving away from license costs and desired less overall management of the deployed solution– which would also support their continued DevOps best practices efforts.
Interested in reading more DevOps and AWS case studies? Subscribe to our DevOps blog today:
The need for a secure approach to VPN was to facilitate access to AWS sandbox environments for both external and internal research teams. The approach required end users to be authenticated, both through centrally managed credentials (stored in on-prem IDP MS AD and extended to the AWS environment,) and certificate-based authentication. An additional requirement was to authorize based on a combination of both AD groups and CIDR blocks.
In the year and a half that we have partnered with this firm on their enterprise modernization efforts, our team developed and deployed a multitude of Infrastructure as Code (IaC) patterns, through automation. So, it came as no surprise when our customer turned to us for a VPN solution that would also incorporate best practices.
At the time of their request, AWS VPN had limited support for automation from both CloudFormation as well as Terraform provisioners. As a result, our team quickly developed the solution design, broke down the epics into user stories and in a matter of two sprints developed and deployed the solution -- all while teaching our customer’s Infrastructure team how to manage and own the IaC as well as related CI/CD pipelines.
Needless to say, the introduction of new patterns -- especially around networking -- sometimes warrants the refactoring of existing code. Our development team handled the code refactor while developing the code for the solution and helped the customer team to avoid acquiring technical debt.
What is AWS VPN
AWS VPN establishes a secure and private tunnel from the user’s network or device to the AWS global network. With the use of AWS Client VPN, we were able to provide secure connectivity from both the company’s on-premises network to their Amazon Virtual Private Cloud (Amazon VPC) and from individual users to AWS. As a managed service, AWS VPN allowed our customer to avoid the expense and complication of some solutions or the intricacies of less secure and less scalable legacy solutions.
The AWS Client site VPN solution includes the following key concepts:
- A Client VPN Endpoint - Simply put, this is where all client VPN connections terminate in AWS.
- Target Network - As the name suggests, the target network is the VPC network where operators attach client VPN endpoints and are the networking entry point into your AWS resources.
- Route - In AWS, routes are defined in a table; they state the available destination networks within AWS.
- Authorization Rules - These rules authorize the user belonging to a certain Active Directory group to access specific networks.
- And of course the Client. The beauty of the AWS Client site VPN solution is that in the end, the user can use the OpenVPN community to download the client to connect.
Due to the urgent need for the solution by the user and Infrastructure provisioning tools (CloudFormation and Terraform, who were still in the development phase for templates/modules to create IaC and automation,) our team chose to address the automation requirements by writing python scripts to create and deploy the AWS Client site VPN endpoint. Our team developed the necessary pipelines, with Jenkins being our CI/CD tool of choice to handle the automation. Ancillary service Active Directory Connector was deployed, once again through automation, to extend the customer’s on-prem Active Directory for authentication of users attempting VPN connectivity.
Now our customer has a working VPN solution with capabilities to authenticate and authorize users to resources assigned to them through the Active Directory group association. Since the code is checked into Git, use cases such as changing the rules for authorization is as easy as checking in enhancements or modifications and running the pipeline to update the rule set on the fly without any downtime. The IT team can create end-user profiles for their researchers and share them through secure S3 storage access.
Generating terabytes of data every day from research experiments, our customer had a need to analyze vast amounts of data which is best served by the scalability of on-demand cloud computing. Yet, researchers from within the organization and outside its four walls needed access to the data, spurring the IT team supporting this company’s research business units to turn to the AWS consulting partners at Flux7 to help. Looking to bolster your enterprise transformation or simply meet the demands of a mobile workforce with cloud computing? Contact us today:
Post Date: 04/25/2019