In the datacenter, a VLAN can cross physical switches and form a logical L2 domain. Machines, VMs or hosts on this VLAN can communicate with each other irrespective of its physical location with private IP addresses. All is secure.
The question is: Can you stretch this VLAN to AWS or Azure?
If you’ve ever deployed AWS Direct Connect or are in the process of deploying it, you know that it is a long and arduous process. It can take weeks if not months before you can send even one bit from your enterprise network to your network in AWS. In addition to time, there is also the added overhead of hardware, networking ninjas, and cost that makes AWS Direct Connect beyond reach for most companies. But before we dive into this dilemma, why do people want AWS Direct Connect?
The definition of hybrid cloud typically involves attaching a part of an enterprise network to the cloud or vice versa. AWS Direct Connect is the ultimate hammer to a hybrid cloud problem, but you don’t always need a hammer for all hybrid cloud problems. There are easier and quicker ways to build a hybrid cloud.
Aviatrix’s hybrid cloud solution is 100% software and deploys in minutes. The solution looks like this…
Applications are being built, deployed and managed differently these days. Enterprises are adopting microservices architecture where a big monolithic service is broken into smaller and single task services with REST APIs and messaging services connecting them in a loosely coupled fashion. Such methodology fuels the growth of the number of applications serving employees and customers, a lot of them are simply standalone applications. Granting access control to who can access what information becomes an important IT/Ops task.
If you use a bastion station to access instances in a VPC, you should be very weary of the private key management. The bastion station, itself an AWS or Azure instance, has a private key that cannot be changed once the instance is created. Moreover, this private key is shared by all users and any user who logs in into the bastion station has “sudo” power, that is, root privilege. If an employee leaves the company, the employee still has access to the bastion station! Changing the private key amounts to building a new bastion station and distributing the private key again. There needs to be a security perimeter at the user level to allow or deny access to your cloud resource at any given time, rather than relying on a private key. Furthermore, using a bastion station does not allow non-developers to access private applications in the cloud.
Deploying a VPN server instead of a bastion station is the first step to build a real security perimeter. It is a must have from security standpoint.