13

If I have several AWS EC2 and azure instances running on separate regions. I am using rabbitmq to exchange messages between them. Should I worry about adding TLS and encrypting those connections?

In other words if server A is on AWS us-east for example and server B is in azure how bad will it be if they exchange information without it being encrypted? Only the internet service provider and Amazon/Microsoft will be able to see that unencrypted data correct?

I will obviously encrypt anything that deals with the client. I am just curious about 2 backend servers talking to each other.

Edit

Thanks for the help guys. I know how to encrypt the connection and also how to set up a VPN. Sorry I phrased the question incorrectly.

I just wanted to know who will be able to see that traffic between those servers. Why will it be risky? I know it will be risky I believe you lol. I just want to know why. Also how bad will it be to generate my own ssl certificates and trust it on each server.

Tono Nam
  • 322
  • 3
  • 17
  • 3
    `Only the internet service provider and Amazon/Microsoft will be able to see that unencrypted data correct?` No, that is not correct. – Greg Askew Oct 27 '22 at 09:22
  • 1
    "Also how bad will it be to generate my own ssl certificates and trust it on each server." - With a self signed certificates you get the same levels of transport encryption and security, but less guarantees that you're connection is not with a man-in-the-middle spoofing the identity of the server you're attempting to reach. – diya Oct 27 '22 at 14:43
  • 4
    @diya, this is not true. If you create own CA you will be sure who you connect. Especially if you implement mutual authentication. Because hypothetically external CA can issue to someone else certificate for your other site. – Romeo Ninov Oct 27 '22 at 15:07
  • 1
    Indeed but `self signed certificate` != `internal CA` and my comment was intended as a general recommendation. IMHO with certificate pinning you could arguably even ensure suitable protection with a self signed certificate alone but that is hardly I would consider a conventional approach that would work for most. – diya Oct 27 '22 at 15:16
  • @diya: "generate my own ssl certificates and trust it on each server" implies either trusting the (self-signed) CA certificate, or trusting the individual (self-signed) server certificates directly. Either way you can be confident that you're connected to the right server. – psmears Oct 27 '22 at 15:47
  • 2
    @diya generating two self signed certificates and adding each them as trusted on the other system is actually more secure that anything else, because servers essentially will trust each other's public key directly. This is on the the same level of security as SSH or WireGuard keys. When you use *third party* CA to issue certificates you must trust also that CA, and even if you create own CA and make it trusted on both systems and issue certificates, this is still an additional point of trust which could be subverted, which is avoided with self signed certificates. – Nikita Kipriyanov Oct 27 '22 at 16:53
  • Google discovered the hard way that the NSA is quite capable of listening in on traffic between servers. They now encrypt everything, including datacenter-internal traffic. – Mark Oct 27 '22 at 23:18

3 Answers3

25

Should you encrypt data between 2 servers in the cloud?

Yes.

Modern security thinking is that you don't consider your own network / datacenter as more trusted (than your WAN or the regular internet).

Traditionally one would allow for more relaxed security standards in the datacenter, within the "secure" perimeter of your own network. Both internal systems and users would be trusted, implicitly expected to be secure and never abusive or malicious. One only added for example TLS for connections crossing the perimeter and borders of your "secure" internal network.

Nowadays the increasingly more prevalent security concept is one of "zero trust", which abandons the concept of a secure and trusted internal networks/systems/users and applies the same rigorous level of security everywhere, regardless.

So for two back-end servers exchanging information with each-other:

  • both servers and and all their services should be configured with TLS certificates (for server authentication and transport encryption)
  • their communication should be encrypted
  • clients should authenticate to services (with username password, a token, client certificate or whatever is suitable)
  • your applications/(micro-)services should still do input validation and not trust the input from the internal clients/backend-systems to always be correct and safe to use verbatim.
  • etc.
  • etc.

In response to your edit

I just wanted to know who will be able to see that traffic between those servers
(server A is on AWS us-east for example and server B is in Azure)

Unless Amazon and Microsoft have their own physical datacenter interlinks, traffic between AWS and Azure clouds will be routed over the public internet and/or transit one or more network segments operated by third parties. The exact path your traffic takes and which third parties that are can change at any moment due to how routing protocols and the internet work.

When you don't set up transport encryption that traffic will be in clear text and anybody with access to any segment can trivially eavesdrop.

diya
  • 1,771
  • 3
  • 14
  • Is there any particular reason to suspect or assume that Amazon Web Services (I assume that's what you mean by "Amazon") would send the traffic over the public internet instead of through their own network? – Blueriver Oct 27 '22 at 20:47
  • 2
    @Blueriver Because Amazon may not have their completely own private sea cables between continents? – Hagen von Eitzen Oct 27 '22 at 21:24
  • 1
    @HagenvonEitzen Any reason to suspect they don't? Because https://aws.amazon.com/about-aws/global-infrastructure/global_network/ states they do: "Every data center, AZ, and AWS Region is interconnected via a purpose-built, highly available, and low-latency private global network infrastructure." By the way, again I'm assuming you mean Amazon Web Services, which is a subsidiary of Amazon, but I don't know that Amazon offers cloud services – Blueriver Oct 27 '22 at 22:00
  • 7
    @Blueriver: The question is asking about sending data between Azure and AWS, two separate cloud companies, one owned by Microsoft. Not just within AWS. Interesting that within AWS, your traffic would normally go through private links, even between regions. But you have to wonder if it *could* route over the public Internet in case of outages, in which case BGP hijacking or misconfiguration could maybe result in AWS <-> AWS traffic going over public Internet backbone links. – Peter Cordes Oct 28 '22 at 01:46
  • 1
    @PeterCordes If they do need to use the public Internet, I think it's likely they'd use a VPN between datacenters. – Barmar Oct 28 '22 at 14:51
  • @Blueriver I think AWS is often referred to as a cloud service. – Barmar Oct 28 '22 at 14:54
  • @HagenvonEitzen Google did, and the NSA "simply" tapped the cables anyway. But we should ask whether AWS encrypts the data they send across those cables. – user253751 Oct 28 '22 at 17:28
  • 2
    [All data flowing across AWS Regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit); [Whenever Azure Customer traffic moves between datacenters ... a data-link layer encryption ... is applied from point-to-point across the underlying network hardware.](https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#data-link-layer-encryption-in-azure). Obviously says nothing about AWS <-> Azure. – Yogu Oct 29 '22 at 12:01
5

Depending on the stakes, one could not label "trusted" a physical network that is not physically visible end-to-end.

For a human with an average vision this amounts to a cable between two computers on a single desk.

In a sense, you can label a network "trusted" if you operate, manage and physically control it.

The Internet is not only owned, controlled and operated by multiple parties. One can even not be sure that the path that packets take today between points A and B will be the same tomorrow.

Packets between two different datacenters in the same city could route thru another continent. This can happen even if these datacenters have a dedicated direct connection between them. The direct connection can fail or be compromised in a number of ways and the connectivity will be maintained by other means.

And then, there is such things as https://en.wikipedia.org/wiki/BGP_hijacking - an attack that routes the traffic of interest towards devices that the attacker controls.

fraxinus
  • 624
  • 3
  • 5
4

From security point of view is reasonable to secure the connections if they leave datacenter/service provider. This can be done by adding SSL/TLS to both parties. Also you can establish mutual authentication (client/server certificates). Another approach is to establish VPN connection between the hosts and tunnel the entire communication.

Romeo Ninov
  • 5,263
  • 4
  • 20
  • 26