VPN Server

To securely and scalable privately access AWS Cross Organization resources we’ll implement Pritunl VPN Server

Security Directives

1. Private HTTP endpoints for Applications (FrontEnd + APIs), SSH, monitoring & logging (UI / Dashboards) among others. Eg: Jenkins, DroneCI, EFK, Prometheus, Spinnaker, Grafana.
2. K8s API via kubectl private endpoint eg: avoiding emergency K8s API vulnerability patching.

3. Limit exposure: Limit the exposure of the workload to the internet and internal networks by only allowing minimum required access -> Avoiding exposure for Dev/QA/Stg http endpoints

   1. The Pritunl OpenVPN Linux instance is hardened and only runs this VPN solution. All other ports/access is restricted.
   2. Each VPN user can be required to use MFA to connect via VPN (as well as strong passwords). This combination makes almost impossible for an outsider to gain access via VPN.
   3. Centralized access and audit logs.

Figure: Securing access to a private network with Pritunl diagram. (Source: Pritunl, "Accessing a Private Network", Pritunl documentation v1 Guides, accessed November 17th 2020).

Read More

• Pritunl - Open Source Enterprise Distributed OpenVPN, IPsec and WireGuard Server Specifications