Access your AWS non-production environment from everywhere

When it comes to restrict access to test environments, the usual go to is to whitelist IPs of the users. In AWS it can be done via the security groups, network ACLs or Web ACLs. As your company growth, the number of applications and non-production environments increases. Since the covid, the users’ locations exploded with remote working from home or anywhere with 4G/5G network.

Maintaining all those IP whitelists becomes a pain. What if we could reduce the amount of IPs from hundreds to 2 and distribute them accross you organizations? That’s what we can achieve with a simple solution : the centralized VPN VPC.

Thanks to AWS Client VPN, we can setup an openVPN in a VPC, send internet traffic through NAT gateways with Elastic IPs and whitelist only these IPs in our non-production environment.

These IPs can be shared accross your Organization as a prefix list. This way your teams don’t need to maintain in the security groups.

The AWS Client VPN offer multiple way to authenticate :

• Active Directory authentication (user-based)
• Mutual authentication (certificate-based)
• Single sign-on (SAML-based federated authentication) (user-based)

It is very simple to connect the service to your on-premise or not Active Directory.

All this works also for private network access with vpc peering, transit gateways, site-to-site vpn…

There is one other global solution : using a centralized bastion like AppStream or WorkSpaces. But here the drawbacks :

• more effort to setup and maintain
• more expensive
• not possible to test your web applications with a mobile device. That’s a no-go for QA.

AppStream and WorkSpace are usefull when you want to provide your user tools in a controlled environment. That simplifies software distribution.

AWS Client VPN client is avaible for Windows, Linux, Mac OS, Android and IOS. It is a very versatile service. Give it a try 🙂