Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure SaaS Networking with AWS PrivateLink

Secure SaaS Networking with AWS PrivateLink

As a SaaS business, your customers are trusting you to keep their valuable data safe. What if you could expose your service as though it was part of your customer's own network, without any of that traffic crossing the public internet?

In this webinar, we look at how to achieve this with AWS PrivateLink. We'll also discuss some other use cases for this, and related AWS services.

The Scale Factory

September 02, 2020
Tweet

More Decks by The Scale Factory

Other Decks in Technology

Transcript

  1. SECURE SAAS NETWORKING WITH AWS PRIVATELINK_ JON TOPPER | @jtopper

    | he/him/his
  2. $ whoami Founder/CEO/CTO The Scale Factory Working in hosting/infrastructure for

    20 years Infrastructure / AWS / DevOps
  3. None
  4. THE TEAM_

  5. OUR CLIENTS_

  6. TODAY’S AGENDA_ SaaS Security Requirements Common Solutions AWS VPC Networking

    PrivateLink Solutions AWS Partnerships & PrivateLink Service Ready Wrap up
  7. SAAS SECURITY_

  8. B2B SAAS_ Tenancy separation Protection of commercially sensitive information Compliance

    obligations Performance SLAs Availability SLAs
  9. NCSC GUIDANCE_ Data-in-transit protection between clients and service Industry good

    practice external certificate configuration https:/ /www.ncsc.gov.uk/collection/saas-security/saas-security-principles
  10. region vpc az private subnet az private subnet Service Cluster

    Service Cluster Customer Network Public Internet Application Load Balancer Client User
  11. PUBLIC HTTPS_ Pros: Easy to set up Encrypted in Transit

    All clients equal Cons: Service exposed on public internet Network access controls awkward if multi-tenant
  12. region Your VPC az private subnet az private subnet Service

    Cluster Service Cluster Application Load Balancer vpc Client User VPC Peering
  13. VPC PEERING_ Pros: Private network relationship Cons: Peering routes are

    bidirectional Security Group / Firewall required Potential for IP range collision Routing table modifications required
  14. What if you could expose your service as though it

    was part of your customer's own network without any of that traffic crossing the public internet?
  15. VPC ENDPOINTS_

  16. region vpc az private subnet public subnet Internet gateway NAT

    gateway EKS Container
  17. region vpc az private subnet public subnet Internet gateway S3

    DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container
  18. region vpc az private subnet public subnet Internet gateway S3

    DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container Gateway Endpoint PrivateLink
  19. region vpc az private subnet public subnet Internet gateway S3

    DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container Interface Endpoint (ENI) PrivateLink
  20. region vpc az private subnet public subnet Internet gateway S3

    DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container Interface Endpoint (ENI) Your Service PrivateLink
  21. PRIVATE LINK_ Pros: Private network relationship No Internet Gateway required

    Traffic never leaves AWS Unidirectional No risk of IP clashes Cost effective Cons: Extra work required for multi-region Only supports NLBs & API Gateway
  22. SINGLE REGION CLIENTS_

  23. region Customer VPC az private subnet az private subnet Your

    VPC az private subnet az private subnet Network Load Balancer Service Cluster Service Cluster Interface Endpoint (ENI) Interface Endpoint (ENI) PrivateLink EKS Container EKS Container
  24. region Customer 1 VPC Your VPC az private subnet az

    private subnet Network Load Balancer Service Cluster Service Cluster PrivateLink Customer 2 VPC Customer 3 VPC Customer 4 VPC
  25. MULTI REGION CLIENTS_

  26. region 1 Customer VPC az private subnet Your VPC az

    private subnet Network Load Balancer Service Cluster Interface Endpoint (ENI) PrivateLink EKS Container region 2 Your VPC Network Load Balancer Inter-region VPC peering
  27. ON-PREMISES CLIENTS_

  28. region Customer VPC az private subnet Your VPC az private

    subnet az private subnet Network Load Balancer Service Cluster Service Cluster Interface Endpoint (ENI) PrivateLink az private subnet Interface Endpoint (ENI) Direct Connect (VPG) On-Prem Network Client User
  29. OTHER USE CASES_

  30. Production VPC az private subnet Your VPC az private subnet

    Network Load Balancer Squid Proxy Interface Endpoint (ENI) PrivateLink EKS Container Staging VPC az private subnet EKS Container Interface Endpoint (ENI) public subnet NAT Gateway Public Internet
  31. OTHER CONSIDERATIONS_ Interface Endpoints: only 1 subnet per AZ TCP

    only IPv4 only Proxy Protocol for source IPs 10Gbps/AZ (burst to 40Gbps) AZ identifier matching (2a != 2a) Customer pays: Hourly rate per Endpoint per VPC Per GB data processed (any direction)
  32. None
  33. NEXT STEPS_

  34. OTHER WEBINARS_ The SaaS Journey on AWS Architecture for Security

    on AWS
  35. BREAKFAST OPS CTO DISCUSSION & NETWORKING_

  36. Operations / Security / Performance / Reliability / Cost Trusted

    By https:/ /scalefactory.com/services/well-architected/ $5,000 funding available to support improvement work
  37. SUPPORT & LEARNING_ Developer Support (via Slack) Surgery Hours (Zoom

    or in person) 24x7 Incident Support Training Sessions Trusted By
  38. Q&A_

  39. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ @scalefactory [email protected]