1

I am designing a network flow for the following scenario -

  1. VPC 1 - hosting servers and apps in a private subnet
  2. VPC 2 - hosting servers and apps in a private subnet
  3. Management VPC (#3) - Hosting VPN connection in a public subnet
  4. Management VPC has peering with both VPC1 and VPC2

I now connect to the Client VPN on my laptop which is my route into the Management VPC. Since VPC1 and VPC2 have peered with Management VPC, can I access the services in those VPCs from my laptop?

Tim
  • 31,888
  • 7
  • 52
  • 78
Nitin Rastogi
  • 111
  • 4

1 Answers1

2

AWS Networking

AWS networking is not transitive. You generally can't hop between networks without making an explicit provision for it. You have to have a target in the VPC you're connected to, and from that target you can connect out to anything peered.

If your management VPC is peered with your VPC1 and VPC2 then you can't access VPC 1 / 2 directly from your laptop with Client VPN. To get access you'll need to put a bastion server or similar service (AWS Appstream, AWS workspace, etc) into the management VPC.

Suggestion - Multi-Account Architecture

This kind of setup is more commonly done using a multi-account architecture, which provides for additional isolation.

You could set up AWS Control Tower as a best practice environment to get you started, then set up AWS Transit Gateway in a dedicated networking account or the management account for communications between the accounts / VPCs. Client VPN can be set up in the same account as transit gateway and can provide access to all accounts / VPCs if configured correctly, but that's more of a security risk - a bastion helps with isolation.

You might get additional control by putting a NAT gateway in an account if you don't need public internet ingress, or by putting in squid proxies to limit what sites your servers can connect to - OS update sites for example.

This will probably cost more than your current setup. It's more of an enterprise strategy, where security and compliance is more important than total cost.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • Thank You! I believe what I missed was that since VPC peering is not transitive, even though I get on the VPN, there is no direct route to servers in VPC1 or VPC2 – Nitin Rastogi Jul 15 '20 at 01:24
  • From a scaling perspective, Transit Gateway may make sense because we are designing for a multi-VPC architecture. – Nitin Rastogi Jul 15 '20 at 03:06
  • 1
    I design AWS platforms for government and large organisations. We use Transit Gateway almost exclusively for comms. Rate limits are often per account, rather than per VPC, and using multiple accounts gives you advantages like a reduced blast radius. Using multiple accounts also means identities federated to Azure AD via AWS SSO means you can usually grant access to AWS accounts with AD groups, without having to write and maintain detailed IAM policies. Even with non-federated AWS SSO identities it's an advantage. The overhead is worthwhile for most large organisations, less so for smaller orgs – Tim Jul 15 '20 at 08:03