Secure SaaS Networking with AWS PrivateLink

Transcript

1. SECURE SAAS NETWORKING WITH AWS PRIVATELINK_ JON TOPPER | @jtopper

   | he/him/his

2. $ whoami Founder/CEO/CTO The Scale Factory Working in hosting/infrastructure for

   20 years Infrastructure / AWS / DevOps
3. None

4. THE TEAM_

5. OUR CLIENTS_

6. TODAY’S AGENDA_ SaaS Security Requirements Common Solutions AWS VPC Networking

   PrivateLink Solutions AWS Partnerships & PrivateLink Service Ready Wrap up

7. SAAS SECURITY_

8. B2B SAAS_ Tenancy separation Protection of commercially sensitive information Compliance

   obligations Performance SLAs Availability SLAs

9. NCSC GUIDANCE_ Data-in-transit protection between clients and service Industry good

   practice external certificate configuration https:/ /www.ncsc.gov.uk/collection/saas-security/saas-security-principles

10. region vpc az private subnet az private subnet Service Cluster

    Service Cluster Customer Network Public Internet Application Load Balancer Client User

11. PUBLIC HTTPS_ Pros: Easy to set up Encrypted in Transit

    All clients equal Cons: Service exposed on public internet Network access controls awkward if multi-tenant

12. region Your VPC az private subnet az private subnet Service

    Cluster Service Cluster Application Load Balancer vpc Client User VPC Peering

13. VPC PEERING_ Pros: Private network relationship Cons: Peering routes are

    bidirectional Security Group / Firewall required Potential for IP range collision Routing table modifications required

14. What if you could expose your service as though it

    was part of your customer's own network without any of that traffic crossing the public internet?

15. VPC ENDPOINTS_

16. region vpc az private subnet public subnet Internet gateway NAT

    gateway EKS Container

17. region vpc az private subnet public subnet Internet gateway S3

    DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container

18. region vpc az private subnet public subnet Internet gateway S3

    DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container Gateway Endpoint PrivateLink

19. region vpc az private subnet public subnet Internet gateway S3

    DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container Interface Endpoint (ENI) PrivateLink

20. region vpc az private subnet public subnet Internet gateway S3

    DynamoDB Secrets Manager SQS CloudWatch & more NAT gateway EKS Container Interface Endpoint (ENI) Your Service PrivateLink

21. PRIVATE LINK_ Pros: Private network relationship No Internet Gateway required

    Traffic never leaves AWS Unidirectional No risk of IP clashes Cost effective Cons: Extra work required for multi-region Only supports NLBs & API Gateway

22. SINGLE REGION CLIENTS_

23. region Customer VPC az private subnet az private subnet Your

    VPC az private subnet az private subnet Network Load Balancer Service Cluster Service Cluster Interface Endpoint (ENI) Interface Endpoint (ENI) PrivateLink EKS Container EKS Container

24. region Customer 1 VPC Your VPC az private subnet az

    private subnet Network Load Balancer Service Cluster Service Cluster PrivateLink Customer 2 VPC Customer 3 VPC Customer 4 VPC

25. MULTI REGION CLIENTS_

26. region 1 Customer VPC az private subnet Your VPC az

    private subnet Network Load Balancer Service Cluster Interface Endpoint (ENI) PrivateLink EKS Container region 2 Your VPC Network Load Balancer Inter-region VPC peering

27. ON-PREMISES CLIENTS_

28. region Customer VPC az private subnet Your VPC az private

    subnet az private subnet Network Load Balancer Service Cluster Service Cluster Interface Endpoint (ENI) PrivateLink az private subnet Interface Endpoint (ENI) Direct Connect (VPG) On-Prem Network Client User

29. OTHER USE CASES_

30. Production VPC az private subnet Your VPC az private subnet

    Network Load Balancer Squid Proxy Interface Endpoint (ENI) PrivateLink EKS Container Staging VPC az private subnet EKS Container Interface Endpoint (ENI) public subnet NAT Gateway Public Internet

31. OTHER CONSIDERATIONS_ Interface Endpoints: only 1 subnet per AZ TCP

    only IPv4 only Proxy Protocol for source IPs 10Gbps/AZ (burst to 40Gbps) AZ identifier matching (2a != 2a) Customer pays: Hourly rate per Endpoint per VPC Per GB data processed (any direction)
32. None

33. NEXT STEPS_

34. OTHER WEBINARS_ The SaaS Journey on AWS Architecture for Security

    on AWS

35. BREAKFAST OPS CTO DISCUSSION & NETWORKING_

36. Operations / Security / Performance / Reliability / Cost Trusted

    By https:/ /scalefactory.com/services/well-architected/ $5,000 funding available to support improvement work

37. SUPPORT & LEARNING_ Developer Support (via Slack) Surgery Hours (Zoom

    or in person) 24x7 Incident Support Training Sessions Trusted By

38. Q&A_

39. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ @scalefactory jon@scalefactory.com