Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure SaaS Networking with AWS PrivateLink

The Scale Factory
September 02, 2020
Technology
0
350

Secure SaaS Networking with AWS PrivateLink

As a SaaS business, your customers are trusting you to keep their valuable data safe. What if you could expose your service as though it was part of your customer's own network, without any of that traffic crossing the public internet?

In this webinar, we look at how to achieve this with AWS PrivateLink. We'll also discuss some other use cases for this, and related AWS services.

The Scale Factory

September 02, 2020
Tweet

More Decks by The Scale Factory

See All by The Scale Factory
Disaster Recovery on AWS
scalefactory
0
72
Navigating the SaaS Transformation Journey
scalefactory
0
11
ISO 27001 on AWS
scalefactory
0
260
How does compliance drive success in SaaS sales?
scalefactory
0
86
How we passed our AWS certifications and why you should too
scalefactory
0
110
re:Invent 2021 re:cap
scalefactory
0
56
re:Invent 2020 re:cap
scalefactory
0
160
Modern Infrastructure as Code with Pulumi
scalefactory
0
260
Architecture for Security on AWS
scalefactory
0
4.6k

Other Decks in Technology

See All in Technology
フィンテック養成勉強会#33
finengine
0
160
プロダクトオーナーとしてSLOに向き合う 〜Mackerelチームの事例〜 / SRE NEXT 2023
tatsuru
PRO
0
120
上流工程に挑戦!「俺の考えた最強サーバレス構成」が一瞬で敗北した件
kentosuzuki
2
140
アジャイル開発と時代の流れに伴うサーバレスアーキテクチャの変化
yoshiitaka
5
3.3k
dbt_ベストプラクティス_完全に理解した.pdf
dach
2
110
React Suspenseを使って遷移体験を向上させる
kobayang
3
820
ログから学ぶgo build
nasa_desu
1
320
ヒューリスティックコンテストで機械学習しよう
nagiss
7
2.7k
2023-09-05_OCIJP_まれによくあるマルチクラウドでDB-AP分離構成のこと
hk_shino
2
220
1,800万人が利用する『家族アルバム みてね』におけるK8s基盤のアップグレード戦略と継続的改善 / FamilyAlbum's upgrade strategy and continuous improvement for K8s infrastructure
kohbis
0
200
セキュアエレメントによるWireGuardのセキュリティ強化
kmwebnet
0
140
電動マイクロモビリティのシェアサービス「LUUP」におけるEnabling SLOの実践
grimoh
1
190

Featured

See All Featured
Statistics for Hackers
jakevdp
787
210k
Gamification - CAS2011
davidbonilla
75
4.3k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
Bash Introduction
62gerente
603
210k
What's in a price? How to price your products and services
michaelherold
236
10k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
Mobile First: as difficult as doing things right
swwweet
214
8.2k
Design by the Numbers
sachag
272
18k
Designing for Performance
lara
601
66k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
Clear Off the Table
cherdarchuk
81
300k
Embracing the Ebb and Flow
colly
77
3.8k

Transcript

  1. SECURE SAAS NETWORKING
    WITH AWS PRIVATELINK_
    JON TOPPER | @jtopper | he/him/his

    View Slide

  2. $ whoami
    Founder/CEO/CTO The Scale Factory
    Working in hosting/infrastructure for 20 years
    Infrastructure / AWS / DevOps

    View Slide

  3. View Slide

  4. THE TEAM_

    View Slide

  5. OUR
    CLIENTS_

    View Slide

  6. TODAY’S
    AGENDA_
    SaaS Security Requirements
    Common Solutions
    AWS VPC Networking
    PrivateLink Solutions
    AWS Partnerships & PrivateLink Service Ready
    Wrap up

    View Slide

  7. SAAS
    SECURITY_

    View Slide

  8. B2B
    SAAS_
    Tenancy separation
    Protection of commercially sensitive information
    Compliance obligations
    Performance SLAs
    Availability SLAs

    View Slide

  9. NCSC
    GUIDANCE_
    Data-in-transit protection between
    clients and service
    Industry good practice external
    certificate configuration
    https:/
    /www.ncsc.gov.uk/collection/saas-security/saas-security-principles

    View Slide

  10. region
    vpc
    az
    private subnet
    az
    private subnet
    Service Cluster
    Service Cluster
    Customer Network Public Internet
    Application
    Load
    Balancer
    Client
    User

    View Slide

  11. PUBLIC
    HTTPS_
    Pros:
    Easy to set up
    Encrypted in Transit
    All clients equal
    Cons:
    Service exposed on public internet
    Network access controls awkward if
    multi-tenant

    View Slide

  12. region
    Your VPC
    az
    private subnet
    az
    private subnet
    Service Cluster
    Service Cluster
    Application
    Load
    Balancer
    vpc
    Client
    User
    VPC
    Peering

    View Slide

  13. VPC
    PEERING_
    Pros:
    Private network relationship
    Cons:
    Peering routes are bidirectional
    Security Group / Firewall required
    Potential for IP range collision
    Routing table modifications required

    View Slide

  14. What if you could expose your service
    as though it was part of your customer's own network
    without any of that traffic crossing the public internet?

    View Slide

  15. VPC
    ENDPOINTS_

    View Slide

  16. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    NAT
    gateway
    EKS Container

    View Slide

  17. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    S3
    DynamoDB
    Secrets Manager
    SQS
    CloudWatch
    & more
    NAT
    gateway
    EKS Container

    View Slide

  18. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    S3
    DynamoDB
    Secrets Manager
    SQS
    CloudWatch
    & more
    NAT
    gateway
    EKS Container
    Gateway
    Endpoint
    PrivateLink

    View Slide

  19. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    S3
    DynamoDB
    Secrets Manager
    SQS
    CloudWatch
    & more
    NAT
    gateway
    EKS Container
    Interface
    Endpoint
    (ENI)
    PrivateLink

    View Slide

  20. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    S3
    DynamoDB
    Secrets Manager
    SQS
    CloudWatch
    & more
    NAT
    gateway
    EKS Container
    Interface
    Endpoint
    (ENI)
    Your Service
    PrivateLink

    View Slide

  21. PRIVATE
    LINK_
    Pros:
    Private network relationship
    No Internet Gateway required
    Traffic never leaves AWS
    Unidirectional
    No risk of IP clashes
    Cost effective
    Cons:
    Extra work required for multi-region
    Only supports NLBs & API Gateway

    View Slide

  22. SINGLE REGION
    CLIENTS_

    View Slide

  23. region
    Customer VPC
    az
    private subnet
    az
    private subnet
    Your VPC
    az
    private subnet
    az
    private subnet
    Network
    Load
    Balancer
    Service Cluster
    Service Cluster
    Interface
    Endpoint
    (ENI)
    Interface
    Endpoint
    (ENI)
    PrivateLink
    EKS Container
    EKS Container

    View Slide

  24. region
    Customer 1 VPC Your VPC
    az
    private subnet
    az
    private subnet
    Network
    Load
    Balancer
    Service Cluster
    Service Cluster
    PrivateLink
    Customer 2 VPC
    Customer 3 VPC
    Customer 4 VPC

    View Slide

  25. MULTI REGION
    CLIENTS_

    View Slide

  26. region 1
    Customer VPC
    az
    private subnet
    Your VPC
    az
    private subnet
    Network
    Load
    Balancer
    Service Cluster
    Interface
    Endpoint
    (ENI)
    PrivateLink
    EKS Container
    region 2
    Your VPC
    Network
    Load
    Balancer
    Inter-region
    VPC peering

    View Slide

  27. ON-PREMISES
    CLIENTS_

    View Slide

  28. region
    Customer VPC
    az
    private subnet
    Your VPC
    az
    private subnet
    az
    private subnet
    Network
    Load
    Balancer
    Service Cluster
    Service Cluster
    Interface
    Endpoint
    (ENI)
    PrivateLink
    az
    private subnet
    Interface
    Endpoint
    (ENI)
    Direct
    Connect
    (VPG)
    On-Prem Network
    Client
    User

    View Slide

  29. OTHER
    USE CASES_

    View Slide

  30. Production VPC
    az
    private subnet
    Your VPC
    az
    private subnet
    Network
    Load
    Balancer
    Squid Proxy
    Interface
    Endpoint
    (ENI)
    PrivateLink
    EKS Container
    Staging VPC
    az
    private subnet
    EKS Container
    Interface
    Endpoint
    (ENI)
    public subnet
    NAT
    Gateway
    Public Internet

    View Slide

  31. OTHER
    CONSIDERATIONS_
    Interface Endpoints: only 1 subnet per AZ
    TCP only
    IPv4 only
    Proxy Protocol for source IPs
    10Gbps/AZ (burst to 40Gbps)
    AZ identifier matching (2a != 2a)
    Customer pays:
    Hourly rate per Endpoint per VPC
    Per GB data processed (any direction)

    View Slide

  32. View Slide

  33. NEXT
    STEPS_

    View Slide

  34. OTHER
    WEBINARS_
    The SaaS Journey on AWS
    Architecture for Security on AWS

    View Slide

  35. BREAKFAST OPS
    CTO DISCUSSION &
    NETWORKING_

    View Slide

  36. Operations / Security / Performance / Reliability / Cost
    Trusted By
    https:/
    /scalefactory.com/services/well-architected/
    $5,000 funding available to support improvement work

    View Slide

  37. SUPPORT & LEARNING_
    Developer Support (via Slack)
    Surgery Hours (Zoom or in person)
    24x7 Incident Support
    Training Sessions
    Trusted By

    View Slide

  38. Q&A_

    View Slide

  39. KEEP IN
    TOUCH_
    http:/
    /www.scalefactory.com/
    @scalefactory
    [email protected]

    View Slide