Bastion Station Weary

By Sherry Wei
Founder and CTO, Aviatrix
July 23, 2016

If you use a bastion station to access instances in a VPC, you should be very weary of the private key management. The bastion station, itself an AWS or Azure instance, has a private key that cannot be changed once the instance is created. Moreover, this private key is shared by all users and any user who logs in into the bastion station has “sudo” power, that is, root privilege. If an employee leaves the company, the employee still has access to the bastion station! Changing the private key amounts to building a new bastion station and distributing the private key again. There needs to be a security perimeter at the user level to allow or deny access to your cloud resource at any given time, rather than relying on a private key. Furthermore, using a bastion station does not allow non-developers to access private applications in the cloud.

Deploying a VPN server instead of a bastion station is the first step to build a real security perimeter. It is a must have from security standpoint.

Most companies deploy a VPN server at the on-prem office where employees come to work. When employees are not in the office, they must first VPN into the office and then access the cloud. This does provide a security perimeter, but it is not optimal as the user traffic travels to the office and then to the cloud. In addition, traditional VPN server requires on-prem hardware, proprietary client software and outdated authentication methods. Furthermore, if you have a global workforce, employees everywhere must still connect to this on-prem VPN server first, resulting in multiple of hundreds of milliseconds of delay.

Therefore, deploying a VPN server in the cloud is the second step improvement that provides a security perimeter and gives users a unified access experience whether they are on-prem or off-prem. Deploying a VPN server has additional benefits of placing all your enterprise services in the private subnets, enabling non-tech employees to access cloud services securely.

However, a single VPN server is a single point of failure, it still does not address the latency issue for your employees located half a globe away. In addition, a VPN server alone in the cloud cannot let you employees have direct secure access to instances or services of VPC in other regions or other clouds.

Aviatrix provides the most comprehensive network solution for the cloud. Combining a policy driven, scale out and Geo aware VPN with encrypted peering and central management console, we provide a complete secure network solution in the cloud for all your admins, developers and employees.

To learn the complete list of capabilities, check out the datasheet.


Comments are closed for this post.

Latest Posts

How to Use Aviatrix SD Cloud Routing to Build Azure Networks
By Karthik Balachandran, March 20, 2019

The Cloud in 2019 and Beyond: More of the Same, Only Better
By Steven Mih, December 6, 2018

Understanding AWS VPC Egress Filtering Methods
By Khash Nakhostin, November 14, 2018

Implementing a Secure Transit DMZ Architecture with Next-Gen Firewalls
By Josh Hammer, October 16, 2018

Talking Innovation, Disruption and Software Defined Cloud Routing with Steve Mullaney
By Frank Cabri, September 28, 2018

Top Tags

Active Directory (AD)Amazon Partner Network (APN)Amazon Virtual Private Cloud (Amazon VPC)Amazon Web Services (AWS)Amazon WorkSpacesApplication VisibilityAviatrix Cloud InterconnectAviatrix ControllerAviatrix FlightPathAviatrix Hosted ServiceAWS Direct ConnectAWS Egress ControlAWS VPNAzure ExpressRouteCasachekChefCiscoCisco Live 2018Cloud Architectscloud burstingCloud ComputingCloud Gatewaycloud governanceCloud MigrationCloud NetworkingCloudOpsCSRDevOpsEgress TrafficElon MuskEnterprise Strategy Group (ESG)GartnerGCP Next 16Google Cloud PlatformHub-and-Spoke NetworkHybrid CloudHyperFlex Multi-Cloud EcosystemInternational Data Corporation (IDC)Intrusion Detection System (IDS)Intrusion Preventions Systems (IPS)IPmotionJenkinsMalware DetectionMesh NetworkMicrosoft AzureMulticloudNetworking as a Servicenetworking infrastructureNiciraNoOpsNutanixNutanix CalmOpenVPN Access ServerPalo Alto NetworksPCI CompliancePci DssPublic CloudPublic Cloud NetworkingPuppetRemote AccessSD Cloud RouterSD-WANSoftware Defined Cloud RoutingSoftware-Defined Cloud RoutersSquidSSL VPN to AWSstorage and computeTransit DMZ Architecturetransit networkTransit VPCURL FilteringUse CasesVirtual Cloud NetworkVirtual Desktop Infrastructure (VDI)Virtual RoutersVMwareVNet ConnectivityVPCVPC PeeringVPN