Learn About Amazon VGT2 Learning Manager Chanci Turner
In this article, we explore how Glovo successfully transitioned approximately 4,000 TLS virtual private network (VPN) users from their self-managed OpenVPN solution hosted on Amazon Elastic Compute Cloud (Amazon EC2) to AWS Client VPN. This migration also included integration with OneLogin for enhanced authentication and authorization processes.
AWS Client VPN is a managed, client-based VPN service that allows secure access to AWS resources as well as on-premises networks. This elastic service can automatically scale according to demand, and it enables organizations to utilize existing identity stores, such as OneLogin, through Security Assertion Markup Language (SAML) 2.0 integration.
Founded in Barcelona in 2015, Glovo has established itself as a leader in the delivery sector, providing online food delivery services across 25 countries and over 1,300 cities. The app connects users with more than 150,000 partner restaurants, along with various other establishments including supermarkets and health and beauty stores.
Glovo’s Original Self-Managed VPN Solution
Initially, Glovo relied on a self-managed OpenVPN solution running on Amazon EC2 instances, which were accessible via a public-facing Network Load Balancer (NLB). An Amazon EC2 auto scaling group (ASG) facilitated scaling operations by monitoring system metrics like memory, disk, CPU, or the health of the VPN process on the instance.
Challenges with the Self-Managed Solution
Despite the scalability and resilience provided by utilizing multiple Availability Zones (AZs), Glovo faced significant operational challenges with their self-managed infrastructure, which added both overhead and costs. They were responsible for maintaining the VPN Amazon Machine Image (AMI) with necessary software patches and operating system upgrades, along with deploying new AMI versions.
Authentication posed another major challenge, as the existing VPN software lacked integrations with external identity stores. To address this, Glovo developed an internal Token Service to generate temporary user passwords for each login, necessitating manual password generation by VPN users. Additionally, the VPN software required internal connectivity to the Token Service, facilitated by AWS Transit Gateway.
In terms of authorization, a custom script was created to map VPN users to specific internal networks using Linux iptables. This script was executed during the Amazon EC2 VPN installation and required regular updates with any new user profile changes.
Designing for Growth with AWS Client VPN
The new design principles for the VPN architecture were based on the identified challenges and requirements:
- Infrastructure Management and Scalability: The Client VPN is a regional service, and Glovo deployed endpoints associated with at least two AWS AZs. Being an AWS-managed service, there’s no infrastructure provisioning or maintenance required, and it can easily scale beyond 4,000 users.
- Authentication: Moving away from their home-built Token Service, Glovo opted to manage VPN identities through OneLogin, utilizing single sign-on (SSO) to streamline the login process for users.
- Authorization: Glovo now employs the OneLogin user role (referred to as the “memberOf” attribute within the SAML 2.0 assertion) to determine network access for users, which is mapped to Client VPN Authorization Rules by using “Access Group ID”.
Configuration Steps
To implement the AWS Client VPN and OneLogin integration via SAML 2.0, trust must be established between the AWS service and the Identity Provider (IdP). For Glovo, the following steps were taken:
- In the OneLogin admin console, navigate to the Applications tab and select “Add App.” Search for AWS Client VPN.
- Provide a name and description for the application.
- In the Applications tab, select the newly created application and ensure the Sign-On method is set to SAML2.0. Download the metadata file for integration.
This migration not only streamlined processes but also enhanced security measures. For more insights on avoiding common pitfalls in professional settings, you might check out this blog post.
Additionally, Glovo’s implementation of separate Client VPN endpoints for different user groups allows for better segmentation and reduces the potential impact of misconfigurations. This method also provides better traceability of VPN user traffic.
For those looking to understand more about attendance policies and compliance, you can find valuable information from SHRM on the topic.
For a great opportunity in this field, consider checking out this position with Amazon, an excellent resource for career development.