Migrate to the Cloud Public Cloud Securing the Cloud Security VMware Cloud on AWS

Configuring safe and secure connectivity to your VMware Cloud on AWS SDDC

The rapid adoption of hybrid and multi-cloud infrastructure has provided incredible opportunities for enterprises to go faster with their digital transformation.  These new models for IT have been accelerated by COVID-19 and over a year of remote work for many technology workers.  While we reap the benefits of multi-cloud, we must continue to follow best practices for security of the infrastructure that we operate.

When a customer creates a VMware Cloud on AWS SDDC, it is secured by default with firewall rules enabled that block all inbound traffic.  Customers frequently ask us for advice on how to enable SDDC connectivity for both their cloud administrators and enterprise data centers.  While there is no one size fits all blueprint for this, there are some basic guidelines that should be followed to help keep your infrastructure safe.  The diagrams below describe common deployment models for small and medium sized customers.

We will consider a scenario with a cloud administrator who is working from home.  S/he uses a company-provided laptop on her home network with a WIFI router connected to the internet.  Below you will find three options for providing connectivity to vCenter deployed in the SDDC to this user: Internet, Remote Access VPN, and End-to-End VPN.

Internet Connection Alone

Let’s start with the internet connection as depicted with the red line in the diagram below. While it may seem simple to configure a basic “Allow Any” firewall rule on the SDDC to allow her to connect directly over the internet, this is a very poor security practice as it allows not just our cloud administrator, but anyone to connect to the SDDC and attempt to log in.  This connectivity option should never be used.

 

Remote Access VPN

In our second scenario we are providing controlled connectivity to our user via our corporate network as seen in the diagram below. Here we have our cloud administrator authenticate and connect to the enterprise network using an SSL-VPN or Virtual Desktop and then create a set of firewall rules on the SDDC Management Gateway to only allow traffic that originates from the enterprise. This configuration greatly reduces the attack surface of the SDDC as all traffic coming from the internet is blocked except for that originating from the trusted enterprise network. In addition, by integrating vCenter authentication with the corporate identity provider (SSO) we can enforce enterprise policies for user management and passwords.

Remote Access VPN with Direct Connect

Another approach is to use a combination of private connections as depicted in the purple lines below. Cloud administrator first logs on to the enterprise network via an SSL-VPN or Virtual Desktop connection between her laptop and a VPN gateway deployed in the data center.  Once connected to the enterprise network, s/he can reach the VMware Cloud on AWS SDDC by traversing dedicated network connections – AWS Direct Connect and VMware Transit Connect that have been configured between the firewall deployed in the enterprise data center and the Management Gateway that is deployed in the SDDC.

 

End-to-End VPN

An even better option, and our recommended approach, is to have our cloud administrator access the SDDC via end-to-end VPN connections as depicted in the purple lines below. S/he first logs on to the enterprise network via an SSL-VPN or Virtual Desktop connection between her laptop and a VPN gateway deployed in the data center. Once connected to the enterprise network, cloud administrator can reach the VMware Cloud on AWS SDDC by traversing an that provides encrypted transport over the top of AWS Direct Connect and VMware Transit Connect networks that have been configured between the firewall deployed in the enterprise data center and the Management Gateway that is deployed in the SDDC.

 

The table below summarizes the advantages and disadvantages of each of the connectivity scenarios described above.  When evaluating the trade-offs of convenience and security we encourage customers to favor strong security.

Internet Only Remote Access VPN Remote Access VPN + Direct Connect End-to-End VPN with Direct Connect
Security posture Low Good High High
Encryption layers TLS TLS + SSL TLS + SSL TLS + SSL, TLS + IPsec
Recommended use Never Production Production Production

 

For more information on SDDC security please refer to the following resources:

If you would like to learn more about VMware Cloud on AWS, please check out the resource below