Any one knows if two stations created with the same amazon aws workspaces account share the same network ? Are they linked in any way ? Should I use vpn on each one if I want that they stay independent ?
Thanks
If you have created a workspace in the same AWS VPC, they will be deployed in the same virtual network.
https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-vpc.html
If you require that they are to be running on completely segregated networks, creating multiple VPCs would be your best option. Though with the security groups, you should be able to not allow the 2 workspaces to communicate with each other by ensuring that the inbound rules don't allow any connections to said workspace.
Related
The way my set-up works is that I have a 'development', 'staging' and 'production' environment all sitting in separate VPCs and I want to create a client VPN endpoint to allow engineers access to the internals of all these environments (the database mostly).
However, I can't decide how to approach this issue, my first idea was to create a single VPC which peers into all the other VPCs. This would make building the resource in terraform easier as the VPN can be completely separated out.
My other option would be to just have the VPN connection to the development VPC for example and then from there the development VPC peers into the production & staging VPCs however I really don't like this approach
As Steve mentioned from the comment, if you want to centralize your networking setup, for example:
A single or multi AWS VPN S2S with many VPCs
A single or multi DX connection with many VPCs
A single AWS Client VPN to many VPCs
and more
The answer is AWS Transit Gateway. This service also helps you if you have your VPCs placing under different AWS accounts.
For your use-case, AWS has published a blog post with detailed architecture with use-cases for your reference.
https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-client-vpn-to-scale-your-work-from-home-capacity/
Given Amazon workplaces is built on top of ec2, amazon workplaces is less flexible and more expensive vs ec2. How do they compare in terms of internet security? If Amazon workplaces is more secured, is there a way to DIY enhance ec2 instance so that the security level will get close to amazon workplaces? many thanks.
They both run Windows server, so the OS security is the same.
In WorkSpaces, there are two network connections -- one for the user to connect via the WorkSpaces client, and one connected to a VPC. Therefore, both EC2 and WorkSpaces can use Security Groups, NACLs and VPCs to manage security.
So, no real difference in terms of security unless you require connections to only come from a particular network/VPN connection.
i have more than 30 production Windows severs in all AWS regions. I would like to connect all servers from one base bastion host. can any one please let me know which one is good choice? How can i setup one bastion host to communicate all servers which is different regions and different VPC's? Kindly anyone give advice for this?
First of all, I would question what are you trying to achieve with a single bastion design? For example, if all you want is to execute automation commands or patches it would be significantly more efficient (and cheaper) to use AWS System Manager Run Commands or AWS System Manager Patch Manager respectively. With AWS System Manager you are getting a managed service that offers advance management capabilities with highest security principles built-in. Additionally, with SSM almost all access permissions could be regulated via IAM permission policies.
Still, if you need to set-up bastion host for some other purpose not supported by SSM, the answer includes several steps that you need to do.
Firstly, since you are dealing with multiple VPCs (across regions), one way to connect them all and access them from you bastion's VPC would be to set-up a Inter-Region Transit Gateway. However, among other, you would need to make sure that your VPC (and Subnet) CIDR ranges are not overlapping. Otherwise, it will be impossible to properly arrange routing tables.
Secondly, you need to arrange that access from your bastion is allowed in the inbound connections of your target's security group. Since, you are dealing with peered VPCs you will need to properly allow your inbound access based on CIDR ranges.
Finally, you need to decide how you will secure access to your Windows Bastion host. Like with almost all use-cases relying on Amazon EC2 instances, I would stress to keep all the instances in private subnets. From private subnets you can always reach the internet via NAT Gateways (or NAT Instances) and stay protected from unauthorized external access attempts. Therefore, if your Bastion is in private subnet you could use the capability of SSM to establish a port-forwarding session to your local machine. In this way, you enable yourself the connection while even your bastion is secured in private subnet.
Overall, this answer to your question involves a lot of complexity and components that will definitely incur charges to your AWS account. So, it would be wise to consider what practical problem are you trying to solve (not shared in the question)? Afterwards, you could evaluate if there is an applicable managed service like SSM that is already provided by AWS. In the end, from a security perspective, granting access to all instances from a single bastion might not be best practice. If you consider scenarios in which you bastion is compromised for whatever reason, you basically compromised all of your instances across all of the regions.
Hope it gives you slightly better understanding of your potential solution.
currently working with two environments/account.
Dev and staging
We are paling to spin up a new instance to install Jenkins for CI/CD in dev environment.
We are also wondering if we can use the same instance which is in dev as a CI/CD for staging account as well.
How will access work?
How can the CI/CD instance access the instances in stating for CI/CD?
Do we need to set up a cross-account role for this which allowed dev CI/CD to access the stating instances?
or
the private key is enough to have access to EC2 irrespective of account?
You can definitely enable this. Take a look at VPC peering.
This features enables 2 VPCs whether different account or different region, to connect to each other as there networks become connected via a tunnel between.
When you implement this the following factors are important:
No cross over of CIDR ranges within VPCs
The VPC peering connection must be added to the route table(s) in both VPCs allowing them to know how to connect to the other VPC.
You will need to whitelist in security groups to allow access fro the instances that you want to be able to connect.
By doing this you also benefit from any network connections traversing the AWS backbone rather than across the public internet which will lead to improvements for security and performance.
I have 2 Google Cloud accounts, account_1 and account_2. On each of those accounts I created a project and I bootstrapped 2 virtual machines.
I want to know if it's possible to place those 4 machines in the same network space, to be able to communicate.
Thanks!
Yes, this is possible using VPC network peering. The shared VPC is different because it's between an organization projects, as you have you VMs in different accounts what you have to do is VPC network peering, check this article. After configuring on both VPCs and set the proper firewall rules you should be able to reach your 4 VMs using the internal IP, although they will not be in the same subnet but they will be able to communicate between them.
Yes, it is possible. Take a look at the Shared VPC Overview documentation.
However, not all resources will be shared, you can check which ones are supported here.