Inicio Explorar Axuda
Rexistro Iniciar sesión
AFS
/
xdr-terraform-modules
2
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: e40246b7e7
Ramas Etiquetas
xdr-terraform-m...
/
base
/
aws_client_vpn
Fred Damstra [afs macbook] a95fc0c0ae Updates AWS Client VPN to Working Configuration %!s(int64=3) %!d(string=hai) anos
..
files 01c973246e Simplifies the Connection Handler %!s(int64=3) %!d(string=hai) anos
README.md 5d16b37ade Archives the Cisco VPN Module; Unarchives the AWS VPN Module for Another Look %!s(int64=3) %!d(string=hai) anos
auth.tf 5d16b37ade Archives the Cisco VPN Module; Unarchives the AWS VPN Module for Another Look %!s(int64=3) %!d(string=hai) anos
certificate.tf a95fc0c0ae Updates AWS Client VPN to Working Configuration %!s(int64=3) %!d(string=hai) anos
cloudwatch.tf 5d16b37ade Archives the Cisco VPN Module; Unarchives the AWS VPN Module for Another Look %!s(int64=3) %!d(string=hai) anos
lambda.tf b8c0c7de47 Working Connection Handler %!s(int64=3) %!d(string=hai) anos
outputs.tf a95fc0c0ae Updates AWS Client VPN to Working Configuration %!s(int64=3) %!d(string=hai) anos
saml.tf 5b6e0308cd Updates VPC endpoints ACL to 10/8; AWS VPN Additions %!s(int64=3) %!d(string=hai) anos
security-groups.tf 5d16b37ade Archives the Cisco VPN Module; Unarchives the AWS VPN Module for Another Look %!s(int64=3) %!d(string=hai) anos
terragrunt.hcl.example 5d16b37ade Archives the Cisco VPN Module; Unarchives the AWS VPN Module for Another Look %!s(int64=3) %!d(string=hai) anos
vars.tf 5b6e0308cd Updates VPC endpoints ACL to 10/8; AWS VPN Additions %!s(int64=3) %!d(string=hai) anos
vpn.tf a95fc0c0ae Updates AWS Client VPN to Working Configuration %!s(int64=3) %!d(string=hai) anos

README.md

AWS Client VPN

Users must download the client vpn: https://aws.amazon.com/vpn/client-vpn-download/

They must be provided with the configuration file which can be downloaded from vpc->client VPN endpoints in the aws console (same for every user, and a self-service portal is possible but not set up in this).

Findings:

Pros:

  • SAML works great, meaning we could use either RHSSO or Okta and easily move from one to thte other or two a different IdP
  • Pricing seems reasonable. Base price of $0.10/hour for the VPN + $0.05/hour per connection.
  • The ability to write a lambda function to handle connections gives us some great flexibility to handle connection-related requirements (e.g. only 2 concurrent connections)

Cons:

  • It requires an OpenVPN client that support “auth-federate”, which does not include viscosity. (But aws has a free client themselves for OS X, Windows, and Ubuntu, and the community openvpn client should work)
  • It does not appear to play nice with zScalar. We may be able to work with their team to allow it to work, but uncertain.
  • It does not have a lot of flexibility. Configuration is bare minimum: networks, split tunneling, and DNS servers. I suspect we have FedRAMP requirements we’d be unable to meet. With some ingenuity, some of it could be addressed via the connection handler and/or lambda functions.

Summary/Conclusion

That last bullet, I think, is a big strike against this as a VPN solution to solve the split tunneling issue. For example, there’s no idle timeout setting (which is an absolutely absurd setting to have on a non-split-tunneled vpn, btw), and the current AWS response is basically, “Write a lambda function to disconnect users after a time period.” I admire the flexibility (“just write some python”) but also hate the complexity of it (“just maintain some python somebody else wrote.”).