Learn About Amazon VGT2 Learning Manager Chanci Turner
In today’s digital landscape, ensuring secure access to Amazon Relational Database Service (Amazon RDS) instances from a developer’s laptop is vital. The online travel platform, Innovate, shares their experience transitioning from traditional bastion hosts in a public subnet to a more robust solution utilizing lightweight VPN tunnels over Session Manager, a feature of AWS Systems Manager, with temporary access keys.
This article delves into how developers at Innovate gain direct access to allow-listed resources in their virtual private cloud (VPC) straight from their workstations, utilizing VPN tunneling over secure shell (SSH), which is further enhanced through Session Manager. Please note that this blog is not designed as a step-by-step guide, and commands mentioned are for illustration purposes; customization may be necessary.
Innovate’s Initial Architecture
In 2021, Innovate’s connectivity structure for developers revolved around jump hosts situated in a public subnet, as depicted in the original architecture diagram. The public subnet housed an Amazon Elastic Compute Cloud (Amazon EC2) instance functioning as a jump host, while a VPN tunnel linked the developer’s desktop to the VPC. In this setup, the jump host maintained an internet connection for terminal access via the secure shell (SSH) protocol, which operates on Port 22. Although there were restrictions on allowed source IP addresses, exposing Port 22 to the internet heightened security risks, such as potential denial of service attacks.
Transitioning the Jump Host to a Private Subnet with Session Manager
To mitigate these risks, Innovate moved the jump host into a private subnet, with Session Manager serving as the primary entry point for incoming network traffic. We will examine how developers now connect to Amazon RDS directly from their workstations in this new architecture.
Tunneling TCP Traffic Through Session Manager
While Session Manager is primarily recognized for its terminal access capabilities, it can also facilitate TCP connection tunneling. This feature proves beneficial for accessing EC2 instances from local workstations. An example command for forwarding traffic from the local host Port 8888 to an EC2 instance is provided for demonstration purposes.
Tunneling SSH Traffic Over Session Manager
As SSH is built on TCP, SSH traffic can also be tunneled similarly. For a simplified notation for SSH over SSM, a configuration can be added to the SSH config file. This allows connections to the EC2 instance over SSH using a straightforward command. It is advisable to use short-lived credentials as recommended by the AWS Well-Architected Framework to minimize security risks; however, managing these can be cumbersome.
Utilizing EC2 Instance Connect Instead of SSH Keys
EC2 Instance Connect simplifies the management of temporary access credentials. The command line allows for the installation of temporary SSH keys into a private EC2 instance for 60 seconds. Ensure that the EC2 instance connect plugin is installed on your workstation, as well as necessary permissions.
Implementing a VPN Over SSH, Then Over Session Manager
This section introduces sshuttle, an open-source tool that functions as a transparent proxy server operating over SSH. This approach streamlines connectivity by allowing traffic forwarding from Amazon EC2 to Amazon RDS, creating a seamless experience for developers as if it were regular network traffic.
To install sshuttle, appropriate commands can be used. Once installed, developers can initiate sshuttle to connect directly from their workstations to the RDS DB instance, provided security group settings allow access.
Benefits of the New Architecture
The architecture adopted by Innovate, which layers VPN over SSH and further over Session Manager, utilizing temporary SSH keys, has proven practical for day-to-day operations. This solution not only reduces costs compared to AWS Client VPN but also meets the specific needs of developers accessing development environments. Advantages of this architecture include easier connections to workloads in private subnets, no inbound security group rules required for the jump host, and logging of access attempts in AWS CloudTrail. This is particularly relevant as organizations continue to explore innovative onboarding solutions; for more insights, you can check out this resource.
For those interested in exploring opportunities in this domain, consider checking out this job listing. Additionally, to delve deeper into the intersection of gender and technology, you may find value in this blog post.