Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure SaaS Networking with AWS PrivateLink

Secure SaaS Networking with AWS PrivateLink

As a SaaS business, your customers are trusting you to keep their valuable data safe. What if you could expose your service as though it was part of your customer's own network, without any of that traffic crossing the public internet?

In this webinar, we look at how to achieve this with AWS PrivateLink. We'll also discuss some other use cases for this, and related AWS services.

The Scale Factory

September 02, 2020
Tweet

More Decks by The Scale Factory

Other Decks in Technology

Transcript

  1. SECURE SAAS NETWORKING
    WITH AWS PRIVATELINK_
    JON TOPPER | @jtopper | he/him/his

    View Slide

  2. $ whoami
    Founder/CEO/CTO The Scale Factory
    Working in hosting/infrastructure for 20 years
    Infrastructure / AWS / DevOps

    View Slide

  3. View Slide

  4. THE TEAM_

    View Slide

  5. OUR
    CLIENTS_

    View Slide

  6. TODAY’S
    AGENDA_
    SaaS Security Requirements
    Common Solutions
    AWS VPC Networking
    PrivateLink Solutions
    AWS Partnerships & PrivateLink Service Ready
    Wrap up

    View Slide

  7. SAAS
    SECURITY_

    View Slide

  8. B2B
    SAAS_
    Tenancy separation
    Protection of commercially sensitive information
    Compliance obligations
    Performance SLAs
    Availability SLAs

    View Slide

  9. NCSC
    GUIDANCE_
    Data-in-transit protection between
    clients and service
    Industry good practice external
    certificate configuration
    https:/
    /www.ncsc.gov.uk/collection/saas-security/saas-security-principles

    View Slide

  10. region
    vpc
    az
    private subnet
    az
    private subnet
    Service Cluster
    Service Cluster
    Customer Network Public Internet
    Application
    Load
    Balancer
    Client
    User

    View Slide

  11. PUBLIC
    HTTPS_
    Pros:
    Easy to set up
    Encrypted in Transit
    All clients equal
    Cons:
    Service exposed on public internet
    Network access controls awkward if
    multi-tenant

    View Slide

  12. region
    Your VPC
    az
    private subnet
    az
    private subnet
    Service Cluster
    Service Cluster
    Application
    Load
    Balancer
    vpc
    Client
    User
    VPC
    Peering

    View Slide

  13. VPC
    PEERING_
    Pros:
    Private network relationship
    Cons:
    Peering routes are bidirectional
    Security Group / Firewall required
    Potential for IP range collision
    Routing table modifications required

    View Slide

  14. What if you could expose your service
    as though it was part of your customer's own network
    without any of that traffic crossing the public internet?

    View Slide

  15. VPC
    ENDPOINTS_

    View Slide

  16. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    NAT
    gateway
    EKS Container

    View Slide

  17. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    S3
    DynamoDB
    Secrets Manager
    SQS
    CloudWatch
    & more
    NAT
    gateway
    EKS Container

    View Slide

  18. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    S3
    DynamoDB
    Secrets Manager
    SQS
    CloudWatch
    & more
    NAT
    gateway
    EKS Container
    Gateway
    Endpoint
    PrivateLink

    View Slide

  19. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    S3
    DynamoDB
    Secrets Manager
    SQS
    CloudWatch
    & more
    NAT
    gateway
    EKS Container
    Interface
    Endpoint
    (ENI)
    PrivateLink

    View Slide

  20. region
    vpc
    az
    private subnet public subnet
    Internet
    gateway
    S3
    DynamoDB
    Secrets Manager
    SQS
    CloudWatch
    & more
    NAT
    gateway
    EKS Container
    Interface
    Endpoint
    (ENI)
    Your Service
    PrivateLink

    View Slide

  21. PRIVATE
    LINK_
    Pros:
    Private network relationship
    No Internet Gateway required
    Traffic never leaves AWS
    Unidirectional
    No risk of IP clashes
    Cost effective
    Cons:
    Extra work required for multi-region
    Only supports NLBs & API Gateway

    View Slide

  22. SINGLE REGION
    CLIENTS_

    View Slide

  23. region
    Customer VPC
    az
    private subnet
    az
    private subnet
    Your VPC
    az
    private subnet
    az
    private subnet
    Network
    Load
    Balancer
    Service Cluster
    Service Cluster
    Interface
    Endpoint
    (ENI)
    Interface
    Endpoint
    (ENI)
    PrivateLink
    EKS Container
    EKS Container

    View Slide

  24. region
    Customer 1 VPC Your VPC
    az
    private subnet
    az
    private subnet
    Network
    Load
    Balancer
    Service Cluster
    Service Cluster
    PrivateLink
    Customer 2 VPC
    Customer 3 VPC
    Customer 4 VPC

    View Slide

  25. MULTI REGION
    CLIENTS_

    View Slide

  26. region 1
    Customer VPC
    az
    private subnet
    Your VPC
    az
    private subnet
    Network
    Load
    Balancer
    Service Cluster
    Interface
    Endpoint
    (ENI)
    PrivateLink
    EKS Container
    region 2
    Your VPC
    Network
    Load
    Balancer
    Inter-region
    VPC peering

    View Slide

  27. ON-PREMISES
    CLIENTS_

    View Slide

  28. region
    Customer VPC
    az
    private subnet
    Your VPC
    az
    private subnet
    az
    private subnet
    Network
    Load
    Balancer
    Service Cluster
    Service Cluster
    Interface
    Endpoint
    (ENI)
    PrivateLink
    az
    private subnet
    Interface
    Endpoint
    (ENI)
    Direct
    Connect
    (VPG)
    On-Prem Network
    Client
    User

    View Slide

  29. OTHER
    USE CASES_

    View Slide

  30. Production VPC
    az
    private subnet
    Your VPC
    az
    private subnet
    Network
    Load
    Balancer
    Squid Proxy
    Interface
    Endpoint
    (ENI)
    PrivateLink
    EKS Container
    Staging VPC
    az
    private subnet
    EKS Container
    Interface
    Endpoint
    (ENI)
    public subnet
    NAT
    Gateway
    Public Internet

    View Slide

  31. OTHER
    CONSIDERATIONS_
    Interface Endpoints: only 1 subnet per AZ
    TCP only
    IPv4 only
    Proxy Protocol for source IPs
    10Gbps/AZ (burst to 40Gbps)
    AZ identifier matching (2a != 2a)
    Customer pays:
    Hourly rate per Endpoint per VPC
    Per GB data processed (any direction)

    View Slide

  32. View Slide

  33. NEXT
    STEPS_

    View Slide

  34. OTHER
    WEBINARS_
    The SaaS Journey on AWS
    Architecture for Security on AWS

    View Slide

  35. BREAKFAST OPS
    CTO DISCUSSION &
    NETWORKING_

    View Slide

  36. Operations / Security / Performance / Reliability / Cost
    Trusted By
    https:/
    /scalefactory.com/services/well-architected/
    $5,000 funding available to support improvement work

    View Slide

  37. SUPPORT & LEARNING_
    Developer Support (via Slack)
    Surgery Hours (Zoom or in person)
    24x7 Incident Support
    Training Sessions
    Trusted By

    View Slide

  38. Q&A_

    View Slide

  39. KEEP IN
    TOUCH_
    http:/
    /www.scalefactory.com/
    @scalefactory
    [email protected]

    View Slide