AWS Marketplace
Securing access and optimizing applications on AWS using Prosimo AXI
As you shift your workloads to AWS, you must ensure that access to them is seamless, secure, and optimized for your employees, remote workers, and contractors. When looking at workload access, you should consider the type of user, whether the access is from a managed or unmanaged device, and whether the location is well known or remote. Also consider geographic location requirements such as the General Data Protection Regulation (GDPR) and the performance of the application when accessed from any location. Location requirements and GDPR become even more important when access could be across a range of devices. As applications move to the cloud, each application performance requirement is different, so optimizing for each one is important.
Prosimo AXI, available in AWS Marketplace, provides a single application experience infrastructure stack that delivers consistent application experiences in your AWS account’s administrative control.
In this blog post, I show how to onboard an application onto Prosimo AXI. This would in turn improve application response time and networking latency while ensuring workloads remain secure. I also look at deep insights based on user transactions as they traverse Prosimo AXI. Next, I show how Prosimo AXI provides observability for the application infrastructure stack and diagnosis of problems.
Prerequisites
To complete this walkthrough you need the following:
- An AWS account.
- Example application. In this blog post, I use a WordPress blog hosted on AWS. You can use your own application as well.
- Your existing Identity Provider (IdP).
- An active Prosimo AXI SaaS account.
If you do not have an active Prosimo AXI SaaS account, you can sign up for Prosimo AXI by subscribing in AWS Marketplace or requesting a free trial here.
Solution overview
The following image shows the reference architecture and integration points for AXI and multiple AWS services.
The following architecture diagram shows one cluster in the AWS us-east-1 Region with two Amazon Virtual Private Clouds (Amazon VPCs) for workloads, connected to Prosimo AXI Edge’s VPC through AWS Transit Gateway and optionally chained via a firewall.
The on-premises data center and remote and office workers are connected to the cluster through either the Edge Points of Presence (POPs) or via an AWS Direct Connect underlay. Refer to the following diagram.
Based on the location of the Prosimo AXI Edges, they connect across cloud AWS Regions privately or other public clouds over a public network. Access to Software as a Service (SaaS) is also possible via the Prosimo AXI Edge. Refer to the following diagram.
A second cluster in the eu-west-2 Region is identical to the first, with two Amazon Virtual Private Clouds (Amazon VPCs) for workloads connected to Prosimo’s VPC through AWS Transit Gateway and optionally chained via a firewall. The on-premises data center and remote and office workers are connected to the cluster through edge Points of Presence (POPs). Refer to the following diagram.
In this solution walkthrough, steps 1–3 take you through the onboarding, optimization, and security wizards.
Step 1: Onboard the application
Once you sign up, during the initial sign in to Prosimo AXI, as part of the Day-0 configuration, you do the following:
- Configure a cross-account role with a generated external ID for access to your AWS account via a workflow on the Prosimo AXI dashboard and AWS CloudFormation console.
- Set up your IDP details and complete the Day-0 configuration.
After Day-0 configuration, you’re redirected to the AXI dashboard. To configure your first application, navigate to the Applications page. Here, you can either import your applications directly from your identity provider and choose to launch onboarding or manually configure the application details.
For my example, I will onboard a sample WordPress application hosted on an Amazon EC2 instance in the AWS Region ap-southeast-2. I configure it as a custom application, since I want to keep using the application with the original URL after onboarding on AXI. I manually configure the steps to walk through the details. Prosimo AXI also provides Prosimo domains for every onboarded application. As part of AXI, once onboarded, the application can only be accessed after authenticating with the IDP unless you configure a policy to turn off fabric authentication for the application.
A. Configure the details for the application
- On the AXI dashboard, navigate to the Applications page. On the Applications page, choose Create New App. This starts the onboarding wizard.
- In step 0: Settings; For App Name, enter a name for your application. For Select Access Type, choose Agentless for access to the application without installing an agent.
- Under App Domain, enter the domain URL. If your application uses other subdomains under the same domain, select the Include sub-domains check box.
- Under Configure Protocol, choose the protocol for Prosimo AXI to use to connect to this application and enter the port. If your application requires web sockets, select the Include Websockets check box.
- Under Enable Health Checks, either enable health checks for the default path or enter a health check URL.
- Choose Create New App Domain to add multiple domains as required for the same application and repeat these steps for each domain. Choose Proceed.
B. Configure the AWS details for this application
- In the onboarding wizard, for step 1: Cloud; Choose Public Cloud because the application is hosted on AWS.
- For the connection option, choose Private because the application must remain private and not open to the internet.
- Choose the appropriate account and Region where the application is hosted. For this example, the application is hosted in the ap-southeast-2 Region.
- For Peering Options, select a connection type based on your requirements. When you pause on a connection type, a help guide on the right shows a diagrammatic representation of it.
- Choose VPC Peering if you have a well-defined IP Classless Inter-Domain Routing (CIDR) for all workloads and do not have overlapping IP addresses.
- Choose Private Link if you have application VPCs that could have overlapping IP CIDR addresses.
- Choose Transit Gateway if your application VPC is accessible via a transit gateway based on reference architectures.
- Choose VPN if your application VPC is accessible over Internet Protocol Security (IPsec) tunnel.
For the backend IP address or Fully Qualified Domain Name (FQDN), do one of the following:
-
- Choose Auto Discover and choose Find to auto-find and populate the AWS resource details.
- Choose Manually Enter and enter an IP address.
- For VPC peering and Transit Gateway connectivity, make sure that your application VPC security groups allow the customized or default Prosimo AXI CIDR during the initial setup.
- Choose Proceed.
C. Configure the Domain name System (DNS) and Secure socket layer (SSL) certificate
- In the onboarding wizard, step 3: DNS; update one of more DNS records to the mappings displayed.
- Choose Proceed.
- In step 4: SSL; choosing Generate SSL certificate will automatically generate a SSL certificate for you using Let’s Encrypt.
- Choose Proceed.
Step 2: Optimize the application
Continuing the wizard workflow, you can optimize your application in the Optimization step. This helps to determine how users and applications enter AXI when they get routed to the application.
Application infrastructure stack optimization and caching in Prosimo AXI helps to bring optimized content close to the users and improves the performance. Your requests no longer have to travel all the way to the origin server; instead, the contents can be served from the closest AXI edge. With fewer origin requests, it can also help save bandwidth costs for the cloud backbone, in addition to faster content delivery.
- In the onboarding wizard step 4: Optimization; Choose the right optimization setting.
- In the application configuration wizard optimization step, choose one of the following options:
- Performance enhanced – The AXI edge selected to receive user traffic is based on overall performance. If a Prosimo AXI edge in the AWS Region close to the user is selected, content will be served locally from that Region. Additional data uses persistent connections to the Prosimo AXI edge and application over the AWS backbone network. You end up getting a multilayer optimization stack across AXI edges.
- Cost Savings – Users are always routed to the Prosimo AXI edge in the application Region directly via the internet.
- Fast lane – This option configures the cloud provider’s edge Point of Presence (POP) to ingress the fabric. Select this option if the users accessing the application should come through the cloud provider’s backbone network, right from the metro Region closest to where they are located. With this, potential last mile performance issues are minimized. This configuration would incur additional cost on your cloud provider’s bill based on usage. As a result, the applications with stringent performance requirements or ISP-related performance issues are good candidates for this option.
- In the application configuration wizard optimization step, choose one of the following options:
- Select the default cache rule or configure more granular rules.
- Choose Proceed.
Based on the optimization configurations, Prosimo AXI applies necessary optimizations for the application based on the application’s characteristics. After the application is set up, AXI will continuously recommend optimization based on three categories:
- Cost and performance optimization
- Dynamic User Risk Score
- Infrastructure expansion based on user access
Step 3: Secure the application
A. Secure the application
In the application configuration wizard security step, you can secure your application.
- In the onboarding wizard step 5: Security; In this example, I choose the Allow policy to allow all traffic to my application. The other options are the following:
- Deny All – Disables access to an application
- Customize – Matches on characteristics of the users, applications, location, URL, and so on, and allows, denies, or provides a bypass for the authentication of the application.
- Under Configure AWS Web application firewall (WAF) Policies for your App Domains > Select WAF Policy, selecting Default WAF Policy sets up a WAF policy for your application. You can also configure and customize the WAF policy to include or exclude rulesets as required.
- Choose Proceed.
- Review the configurations and choose Onboard App. This completes the onboarding for the application while optimizing and securing it.
B. Add security settings (optional)
For additional security settings, navigate to the Risk Settings page. To do this, in the AXI Dashboard sidebar navigation, choose Protect and then Dynamic Risk. Here, you can allow dynamic risk settings for your infrastructure. As part of the settings, you can configure one of more the following:
- Enforce multi-factor authentication (MFA) by toggling the on/off button.
- Send an alert to the admin when the user behavior shows an anomaly by toggling the on/off button.
- Lock a user based on the anomalous behavior. To lock a user from accessing any applications based on anomalous behavior, toggle the on/off button.
Visualizing user transactions
The Application-driven Intelligent Results (AIR) engine provides insights to administrators based on the logs and telemetry collected from the AXI edges.
The application Service Level Agreement (SLA) score is represented by the Total Response Time metric, as shown in the following screenshot. It shows a summarized view of the user access for an application grouped by the user and applications for a session interval. In the following example, a user located in the United States on the West Coast is accessing an application hosted in ap-southeast-2 Region. The user requests enter Prosimo AXI in the AWS region located in us-west-1. The user request then traverses the AWS Region backbone connection from us-west-1 to ap-southeast-2 and connects to the application via the Prosimo AXI edge in ap-southeast-2. During this entire session, you are able to view a summary of statistics for the following:
- User details
- Username as configured in the IDP
- Browser type and version
- Device OS and version
- IP and location
- Session level details
- Round Trip Time (RTT) from the user to the nearest AXI Edge
- Mid mile RTT between the edges
- Edge processing times
- Application response times
- Number of requests and time
- Counters for cache hits, misses, errors, and redirects.
- Application details
- Application name
- Application region details
- Application private IP information
Refer to the following screenshot.
If you want to drill down and look at each individual transaction for the specific user and application, every summary expansion has a link on the bottom left, Learn more in diagnose. The following screenshot shows you each of the transactions for the given session that are included in the preceding summarized output. Here, you can further drill down into the transaction and look at:
- Transaction request protocol.
- Transaction request a specific operation, including GET, POST, PUT, or DELETE.
- Risk score associated with the transaction.
- Time to first byte (TTFB) for the transaction.
- Result of Web Application Firewall (WAF).
- Result of Policy (if applicable) on the transaction.
- Blocked status – Was the transaction blocked for either WAF, IP Reputation, Policy, or any other reason.
You can optimize and secure all your applications across all AWS Regions for all of your users using a single application experience infrastructure stack.
Cleaning up
To clean up any resources added part of the walkthrough, follow these steps:
- On the AXI dashboard, side navigation bar, choose Applications.
- For the configured application dropdown its options, choose Decommission. You would must do this for all configured applications.
- On the AXI dashboard, side navigation bar, choose Management > Edge.
- For all the Prosimo AXI Edges listed, dropdown its options, choose Decommission. Do this for all Prosimo AXI Edges listed.
Conclusion
In this blog post, I showed you how to set up Prosimo AXI in your AWS account and onboard a WordPress blog application. With Prosimo AXI, you can onboard different applications across different AWS Regions and experience the same benefits for all of them.
Learn more about the common use cases that enterprises deploy Prosimo AXI for:
For more information about Prosimo AXI, take the Prosimo Challenge and sign up for a free trial.
The content and opinions in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.
About the author
Linus Aranha is the Co-Founder and Chief Architect at Prosimo. Linus has been involved in key leadership and technological advances for enterprise infrastructure as it expands into the cloud and edge landscape.