Secure SaaS Networking with AWS PrivateLink

Slide 1

Slide 1 text

SECURE SAAS NETWORKING WITH AWS PRIVATELINK_ JON TOPPER | @jtopper | he/him/his

Slide 2

Slide 2 text

$ whoami Founder/CEO/CTO The Scale Factory Working in hosting/infrastructure for 20 years Infrastructure / AWS / DevOps

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

THE TEAM_

Slide 5

Slide 5 text

OUR CLIENTS_

Slide 6

Slide 6 text

TODAY’S AGENDA_ SaaS Security Requirements Common Solutions AWS VPC Networking PrivateLink Solutions AWS Partnerships & PrivateLink Service Ready Wrap up

Slide 7

Slide 7 text

SAAS SECURITY_

Slide 8

Slide 8 text

B2B SAAS_ Tenancy separation Protection of commercially sensitive information Compliance obligations Performance SLAs Availability SLAs

Slide 9

Slide 9 text

NCSC GUIDANCE_ Data-in-transit protection between clients and service Industry good practice external certificate configuration https:/ /www.ncsc.gov.uk/collection/saas-security/saas-security-principles

Slide 10

Slide 10 text

region vpc az private subnet az private subnet Service Cluster Service Cluster Customer Network Public Internet Application Load Balancer Client User

Slide 11

Slide 11 text

PUBLIC HTTPS_ Pros: Easy to set up Encrypted in Transit All clients equal Cons: Service exposed on public internet Network access controls awkward if multi-tenant

Slide 12

Slide 12 text

region Your VPC az private subnet az private subnet Service Cluster Service Cluster Application Load Balancer vpc Client User VPC Peering

Slide 13

Slide 13 text

VPC PEERING_ Pros: Private network relationship Cons: Peering routes are bidirectional Security Group / Firewall required Potential for IP range collision Routing table modifications required

Slide 14

Slide 14 text

What if you could expose your service as though it was part of your customer's own network without any of that traffic crossing the public internet?

Slide 15

Slide 15 text

VPC ENDPOINTS_

Slide 16

Slide 16 text

region vpc az private subnet public subnet Internet gateway NAT gateway EKS Container

Slide 17

Slide 17 text

region vpc az private subnet public subnet Internet gateway S3 DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container

Slide 18

Slide 18 text

region vpc az private subnet public subnet Internet gateway S3 DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container Gateway Endpoint PrivateLink

Slide 19

Slide 19 text

region vpc az private subnet public subnet Internet gateway S3 DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container Interface Endpoint (ENI) PrivateLink

Slide 20

Slide 20 text

region vpc az private subnet public subnet Internet gateway S3 DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container Interface Endpoint (ENI) Your Service PrivateLink

Slide 21

Slide 21 text

PRIVATE LINK_ Pros: Private network relationship No Internet Gateway required Traffic never leaves AWS Unidirectional No risk of IP clashes Cost effective Cons: Extra work required for multi-region Only supports NLBs & API Gateway

Slide 22

Slide 22 text

SINGLE REGION CLIENTS_

Slide 23

Slide 23 text

region Customer VPC az private subnet az private subnet Your VPC az private subnet az private subnet Network Load Balancer Service Cluster Service Cluster Interface Endpoint (ENI) Interface Endpoint (ENI) PrivateLink EKS Container EKS Container

Slide 24

Slide 24 text

region Customer 1 VPC Your VPC az private subnet az private subnet Network Load Balancer Service Cluster Service Cluster PrivateLink Customer 2 VPC Customer 3 VPC Customer 4 VPC

Slide 25

Slide 25 text

MULTI REGION CLIENTS_

Slide 26

Slide 26 text

region 1 Customer VPC az private subnet Your VPC az private subnet Network Load Balancer Service Cluster Interface Endpoint (ENI) PrivateLink EKS Container region 2 Your VPC Network Load Balancer Inter-region VPC peering

Slide 27

Slide 27 text

ON-PREMISES CLIENTS_

Slide 28

Slide 28 text

region Customer VPC az private subnet Your VPC az private subnet az private subnet Network Load Balancer Service Cluster Service Cluster Interface Endpoint (ENI) PrivateLink az private subnet Interface Endpoint (ENI) Direct Connect (VPG) On-Prem Network Client User

Slide 29

Slide 29 text

OTHER USE CASES_

Slide 30

Slide 30 text

Production VPC az private subnet Your VPC az private subnet Network Load Balancer Squid Proxy Interface Endpoint (ENI) PrivateLink EKS Container Staging VPC az private subnet EKS Container Interface Endpoint (ENI) public subnet NAT Gateway Public Internet

Slide 31

Slide 31 text

OTHER CONSIDERATIONS_ Interface Endpoints: only 1 subnet per AZ TCP only IPv4 only Proxy Protocol for source IPs 10Gbps/AZ (burst to 40Gbps) AZ identifier matching (2a != 2a) Customer pays: Hourly rate per Endpoint per VPC Per GB data processed (any direction)

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

NEXT STEPS_

Slide 34

Slide 34 text

OTHER WEBINARS_ The SaaS Journey on AWS Architecture for Security on AWS

Slide 35

Slide 35 text

BREAKFAST OPS CTO DISCUSSION & NETWORKING_

Slide 36

Slide 36 text

Operations / Security / Performance / Reliability / Cost Trusted By https:/ /scalefactory.com/services/well-architected/ $5,000 funding available to support improvement work

Slide 37

Slide 37 text

SUPPORT & LEARNING_ Developer Support (via Slack) Surgery Hours (Zoom or in person) 24x7 Incident Support Training Sessions Trusted By

Slide 38

Slide 38 text

Q&A_

Slide 39

Slide 39 text

KEEP IN TOUCH_ http:/ /www.scalefactory.com/ @scalefactory jon@scalefactory.com