Secure AWS resource access for global teams by eliminating VPN complexity

The COVID-19 pandemic has forever transformed how we work, ushering in an era where personal and professional lives blend seamlessly through remote work options. Modern teams now embrace geographical diversity, respecting different time zones while maintaining trust in employees to meet their deliverables. This shift to remote work has presented IT teams with a new common challenge: providing secure access to sensitive resources, from anywhere in the world. Traditional Virtual Private Network (VPN) infrastructure is known for its complex and costly scalability, poor connection quality with frequent failures and, high latency, and complex configuration requirements. Many organizations are starting to embrace newer protocols like WireGuard, which offers faster speed without compromising security. In this article, you will learn how to use Tailscale to enable your teams to collaborate securely without having to manage heavy VPN infrastructure.

Imagine you're a DevSecOps engineer at a prestigious university with a strong machine learning (ML) research lab. The university has recently been getting a lot of interest (and funding!) from the industry due to the Generative AI research taking place at the ML lab. The growing interest is leading to an increasing number of external research team members from other universities and the industry looking to both contribute to your research, as well as gain access to models and data sets being developed by your institution. With this rapid increase in users, IT has received complaints regarding VPN onboarding steps and slow network speed.

The problem statement is simple: enable a diverse group of non-technical remote users (professors and post-doctorate students  at ML labs, industry researchers, and researchers from other universities) to share access to the central research clusters running in private AWS VPC subnet without sacrificing network speed.

Before jumping into solutions, let’s first dig into the challenge. At the university research lab, three different groups collaborate: professors, student researchers, and industry researchers. Historically, although VPN onboarding has always been complex, IT had provided hands-on assistance to all users, who were able to visit the lab personally. However, with more and more external academic and industry researchers collaborating with the group, VPN onboarding has started to become a problem due to remote locations and diverse network environments from where contributors connect. This has led to a concerning flow of support requests to IT, and a growing sense of frustration from users.

Network latency, as can be seen from the following diagram below, is a key source of poor performance. The current VPN architecture follows the hub-and-spoke pattern. With increased traffic, the hub is now becoming the bottleneck, as each VPN tunnel established must talk to the same server—the hub. It’s as if an entire football team came into your local coffee shop with just one barista working—every order is going to take a lot longer to deliver, and the wait will be inconvenient for everyone (and stressful for the barista!).
 

With global teams working on large datasets and high-performance computing, the tunnels are getting full, and the infrastructure is starting to fail.

IT has become overwhelmed with fielding basic VPN setup calls with researchers, not to mention managing VPN servers and certificates. When you start looking for solutions, WireGuard surfaces as a newer VPN protocol that has a lightweight design and offers high speed and performance. If WireGuard helps you fix the issues you are facing with your ML lab, down the line, you might consider extending the pattern to other research departments as well.

WireGuard is a modern Virtual Private Network (VPN) protocol that offers speed and simplicity. Here are some characteristics of WireGuard:

Speed: WireGuard offers peer-to-peer implementation, which means devices connect directly to each other instead of going through a central server, thus eliminating the downsides of a hub-and-spoke design clogging the central server!

Security: WireGuard offers security with the use of state-of-the-art cryptography. It uses ChaCha20 as its encryption algorithm, Poly1305 for user authentication, Curve25519 for key exchange, and BLAKE2s for hashing. These are all choices that are recognized for their strength and performance, especially on general-purpose computers such as the ones researchers use.

Configuration simplicity: WireGuard setup is much more efficient than traditional VPN configuration processes:

1. Install WireGuard on each device, generate keys for each device, and configure some basic parameters in a configuration file.
2. The configuration includes the following information about the device:
   1. Port to listen on
   2. Private IP address
   3. Private key
   4. Information about the peer device
      • Public key
      • The endpoint where the peer device can be reached
      • Private IPs associated with the peer device

The WireGuard configuration is clear-cut. However, it’s important to note that each pair of devices requires a configuration entry. So, if you are trying to connect a large number of devices, especially in a mesh network manner, the number of entries you have to manage increases drastically.

Clearly, WireGuard is promising and would be able to address the need to provide a fast, secure connection to lab infrastructure. However, for the POC to work, you need a solution that significantly reduces configuration management complexity as well.

As a large technical organization, you want the solution to support common networking requirements such as:

1. Integration: Integration with popular identity providers used by the industry, such as OneLogin or Okta.
   
2. Easily readable DNS name: Ability to allow users to associate a logical human-readable DNS name with each device within their network, so they don’t need to remember the IP addresses of each device in the network – This has been an explicit demand from multiple professors.
3. Exit node support to serve two purposes: 1) as an additional security measure for any traffic that needs to go to the internet. 2) to allow users to access certain networks that are accessible only through a specific node.
4. Ease of use and auditability: The solution should allow users to reliably connect across complex firewall configurations while giving you the ability to audit activity to ensure network health and security.

When you start exploring AWS Marketplace, you come across Tailscale - Pay as You Go, a WireGuard protocol-based Software as a Service (SaaS) product that is cloud- and hardware-agnostic. It brings identity to the network layer so that you can control access based on user identity, not only based on an IP address.

What strikes you is Tailscale’s ability to manage NAT traversal and connection handling automatically. This feature would ensure seamless connectivity without manual network configuration across a wide ranging diversity of network environments. In contrast to the current implementation, here is what the Tailscale network could look like—a big improvement over the hub-and-spoke model you’ve been using. Tailscale sounds promising, so you decide to do a small POC.
 

A key success criteria is to identify how easy it is for a user to connect to an Amazon EC2 instance running in a private subnet via their own computer and mobile phone. Once they are connected to the EC2 instance via a secure tunnel, they will be able to interact with a cluster hosted in the same VPC in the private subnet. Here is how you go about it.

Tailscale - Pay as You Go comes with a free trial when subscribed from AWS Marketplace, and the signup process is quite straightforward.

A) Add your first device
As part of the widget, you are asked to first include a device in the network. To start, let’s say you want to add your personal computer to the network.
 

When you choose macOS and then the download button, you are redirected to the App
Store, where you can download the Tailscale client. The client asks you to sign in to your network, and once you choose Connect, you are in.

B) Add the second device
The signup widget lets you add another device as well. Since you want to also access the EC2 instance running in the university cloud environment from your mobile phone, you choose to install Tailscale in your mobile as well. You go to the App Store, and then you download Tailscale from there.

Pretty much like desktop configuration, the wizard asks you to sign in, installs VPN configuration on your phone, and then connects you to the Tailnet.

On your phone, you are now able to discover your desktop, which is already part of the Tailnet.
When you try running the ping command from your computer, you are able to ping the IP address of your iPhone.

C) Add the third device – an Amazon EC2 instance
You can see both devices appearing in the admin console. Next, you add an Amazon EC2 instance. Tailscale automatically generates an installation script, which you can execute from the EC2 instance.
 

After the script execution is complete, you see the EC2 instance appear as a third device in Tailnet. Here is the screenshot that shows the devices after you rename them using the MagicDNS functionality offered by Tailscale.

 Now, you can go back to the EC2 instance’s security group settings and disable the Secure Shell (SSH) access.

Next, you can execute the following SSH command to log on to the EC2 instance:

ssh -i <pem-file> ec2-user@public-ec2

As you can see in the following screenshot, you can SSH into the EC2 instance without opening the SSH port on EC2, using the logical name you assigned, public-ec2.
 

Pretty impressive!

Once you have connected to the EC2 instance, you are able to reach the cluster running in the private subnet, but this time with an EC2 bastion that is fully private, and without the need to open any inbound ports on the machine.
 

Here is how the POC architecture looks.

To summarize, in a very short span, you went from no VPN to a Tailscale VPN (tailnet) setup containing three nodes: one desktop, one EC2 instance, and one iPhone. You were able to SSH into the EC2 instance from your desktop without having to know the public IP of the EC2 instance and while ensuring that the security group of the EC2 instance did not allow anybody to SSH in.

With Tailscale - Pay as You Go, you will be able to provide secure VPN tunnels while ensuring you follow Zero Trust Network Access (ZTNA), which reduces the attack surface by preventing unauthorized access.

Here are some key takeaways to help you get started on your next project:

1. Start by understanding your current network access patterns. To do that, map out which teams need access to what resources.
   
2. Start with a small pilot. Pick a small team for the initial rollout, validate the implementation, and ensure it works well from different devices and locations.
   
3. Follow security best practices, such as disabling direct SSH access, using exit nodes to route your public internet traffic, using subnet routers when necessary, and reviewing/updating access policies as necessary.
   
4. Monitor connection logs and user activity.
   
5. Finally, document the onboarding process so it’s easy for new members to get started.

If you haven’t yet started, try Tailscale - Pay as You Go using your AWS account in AWS Marketplace. You’ll be able to try it for free and pay-as-you go with consolidated billing through AWS as your application scales. Visit Tailscale.com for additional product information.