Amazon Web Services (AWS) offers customers different methods for securing resources in their Amazon Virtual Private Cloud (Amazon VPC) networks. One important security measure is to effectively control remote user access in order to distinguish between authorized and unauthorized users. If internal resources are compromised, they can pose a threat to a larger network of resources—especially when attempting to steal sensitive data or communicate with command and control systems. This document provides AWS customers with best practices and common approaches for choosing a remote access solution as part of a holistic network security strategy. See the VPC Security Capabilities Solution Brief for broader network security recommendations.

The following sections assume basic knowledge of remote-network connectivity, virtual private networks (VPNs), user authentication, and networking.

  • Solution Brief

    Consider the following universal network security principles when implementing a secure remote-access solution:

    • Consider a solution that uses a two-factor authentication mechanism: a possession factor (something the user has) and a knowledge factor (something the user knows).
    • Implement a solution that applies user- or profile-based policies rather than IP-based policies. User- or profile-based policies allow remote users to access internal resources from different IP addresses.
    • Enable audit and access logging capabilities wherever available. Define log retention requirements and lifecycle policies early on, and plan to move log files to cost-efficient storage locations as soon as practical. 

    The AWS Cloud provides low cost, elastic, and secure AWS services to control remote user access. In general, your authentication, authorization, auditing, availability, and scaling requirements will help determine the most appropriate configuration for your use case. The following sections describe common approaches that use a combination of native AWS services, open-source technologies, and third-party products for controlling remote user access.

    Linux bastion hosts provide a secure way for you to connect to your Linux Amazon Elastic Compute Cloud (Amazon EC2) instances without exposing your Amazon VPCs to the internet. Bastion hosts also enable you to access other instances in your VPC using Secure Shell (SSH) on Linux. You can also configure security groups to provide fine-grain ingress control.

    AWS offers a Quick Start that adds Linux bastion hosts to your new or existing AWS infrastructure for your Linux-based deployments. The bastion hosts provide secure access to Linux instances located in the private and public subnets of your virtual private cloud (VPC). The Quick Start sets up a Multi-AZ environment and deploys Linux bastion host instances into the public subnets to provide readily available administrative access to the environment. For more information, see the Linux Bastion Hosts Quick Start deployment guide.  

    For customers who want to implement a fully automated and prescriptive reference deployment, AWS offers the Aviatrix User VPN Quick Start. The Quick Start automatically deploys an Aviatrix Controller for a User VPN service in a new or existing Amazon VPC that enables your remote users to connect to your Amazon VPCs with enhanced security, and access your Amazon EC2 instances, applications, and services.

    The Quick Start leverages Aviatrix’s User VPN, a cloud-native user VPN solution that enables secure remote access to AWS using Aviatrix SSL VPN. The solution is based on OpenVPN and is compatible with all OpenVPN clients. Aviatrix provides its own client that supports Security Assertion Markup Language (SAML) authentication directly from the client.

    The Aviatrix User VPN features a point-and-click, centralized management console that you can use to implement changes and customizations quickly and easily. The solution supports many different authentication options including LDAP/AD, Duo, Okta, multi-factor authentication, and client SAML. It also allows you to assign users to profiles that provide granular access to network resources. For more information, see the Aviatrix User VPN Quick Start deployment guide.

    The AWS Partner Network offers a variety of remote-access solutions that can help make it easier for companies of any size or stage of development provide secure remote access to their internal networks. When selecting a third-party product, look for a solution that is easy to configure, leverages your company’s existing technologies, and meets your user management, configuration, patching, and upgrade requirements.

    See the Partner Offerings tab for a list of popular partner products.

    Download PDF Version of this Solution Brief
  • AWS Quick Start

    Aviatrix has collaborated with AWS to offer a fully automated AWS Quick Start that deploys a highly available, secure, remote access solution in minutes. The diagram below presents the user VPN architecture you can build using the Quick Start deployment guide and accompanying AWS CloudFormation template.

    1. The Quick Start deploys an Amazon Elastic Compute Cloud (Amazon EC2) instance configured with an Aviatrix Controller you can use to configure VPN access to other VPCs, network providers, an on-premises infrastructure, or even other public cloud providers.
    2. Aviatrix gateways that allow for SSL VPN termination, routing, and security policies are deployed behind an AWS Elastic Load Balancing load balancer for scaling and high availability.
    3. The Quick Start also deploys all the necessary AWS Identity and Access Management (AWS IAM) roles and policies.
    4. You can log sessions, connection history, and bandwidth usage to Splunk, SumoLogic, Elasticsearch, Logstash, Kibana (ELKStack), remote syslog, and Datadog.

     

    What you'll accomplish:

    Deploy a remote access solution using AWS CloudFormation. The CloudFormation template will automatically launch and configure the components necessary to build an Aviatrix Remote User VPN.

    Build a highly available, scalable user VPN with an Aviatrix Controller, Aviatrix gateways, authentication services, and log analytics.

    Simplify gateway management with a point-and-click, centralized management console that allows you to implement changes or customizations quickly and easily.

    What you'll need before starting:

    An AWS account: You will need an AWS account to begin provisioning resources. Sign up for AWS.

    Skill level: This solution is intended for IT infrastructure and networking professionals who have practical experience architecting on the AWS Cloud.

    Aviatrix licensing: You must decide on a licensing option for the Aviatrix software used in this design and subscribe to the AMI that provides that option. See the deployment guide for detailed information.

    Q: Can I use a different VPN appliance than the Aviatrix Amazon Machine Image (AMI) for my user VPN?

    This automated user VPN Quick Start provides a reference implementation that includes Aviatrix software. The Quick Start doesn’t support remote access products from other software providers. However, you can achieve similar architectural patterns by using other AWS Marketplace products or your own AWS CloudFormation templates.

    Q: What authentication options does this Quick Start support? 

    This Quick Start supports Lightweight Directory Access Protocol/Active Directory (LDAP/AD), Duo, Okta, multi-factor authentication (MFA), client Security Assertion Markup Language (SAML), and other types of authentication.

  • Partner Offerings

    The Amazon Partner Network (APN) offers a variety of comprehensive remote access solutions for organizations of any size or stage of development. Explore the AWS Marketplace for a comprehensive list of partner offerings, including popular options from the following parters.

    cisco

    The Cisco Adaptive Security Virtual Appliance (ASAv) is a virtual security solution that helps protect virtual and physical data center workloads that expand, contract, or shift their location over time. The Cisco ASAv delivers site-to-site, remote-access, and clientless VPN as a service in virtual domains or private cloud deployments.
    Learn more »

    palo-alto-networks-logo

    Palo Alto Networks VM-Series next-generation firewall is an AWS Network Competency and Security Competency approved solution that can be fully integrated into your AWS deployment workflow. With the VM-Series firewall, you can protect your remote users and reduce administrative effort and costs.
    Learn more »

    check-point-logo

    Check Point CloudGuard for AWS enables customers to meet their cloud security needs with flexible and manageable security options including: Firewall, VPN, Remote Access, IPS, Application Control, Antivirus, Anti-Bot. CloudGuard protects services in the public cloud from the most sophisticated threats as well as unauthorized access while preventing application layer denial of service attacks.
    Learn more »

    sophos-logo

    Sophos Unified Threat Management (UTM) is a comprehensive security solution that helps you secure your infrastructure in AWS. Sophos UTM provides multiple security options including firewalls, IPS, advanced threat protection, and remote access.
    Learn more »

    openvpn-logo

    OpenVPN Access Server is a full featured SSL VPN software solution that supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.
    Learn more »

Need more resources to get started with AWS? Visit the Getting Started Resource Center to find tutorials, projects and videos to get started with AWS.

Tell us what you think