Bastion Station Weary

By Sherry Wei
Founder and CTO, Aviatrix
July 23, 2016

If you use a bastion station to access instances in a VPC, you should be very weary of the private key management. The bastion station, itself an AWS or Azure instance, has a private key that cannot be changed once the instance is created. Moreover, this private key is shared by all users and any user who logs in into the bastion station has “sudo” power, that is, root privilege. If an employee leaves the company, the employee still has access to the bastion station! Changing the private key amounts to building a new bastion station and distributing the private key again. There needs to be a security perimeter at the user level to allow or deny access to your cloud resource at any given time, rather than relying on a private key. Furthermore, using a bastion station does not allow non-developers to access private applications in the cloud.

Deploying a VPN server instead of a bastion station is the first step to build a real security perimeter. It is a must have from security standpoint.

Most companies deploy a VPN server at the on-prem office where employees come to work. When employees are not in the office, they must first VPN into the office and then access the cloud. This does provide a security perimeter, but it is not optimal as the user traffic travels to the office and then to the cloud. In addition, traditional VPN server requires on-prem hardware, proprietary client software and outdated authentication methods. Furthermore, if you have a global workforce, employees everywhere must still connect to this on-prem VPN server first, resulting in multiple of hundreds of milliseconds of delay.

Therefore, deploying a VPN server in the cloud is the second step improvement that provides a security perimeter and gives users a unified access experience whether they are on-prem or off-prem. Deploying a VPN server has additional benefits of placing all your enterprise services in the private subnets, enabling non-tech employees to access cloud services securely.

However, a single VPN server is a single point of failure, it still does not address the latency issue for your employees located half a globe away. In addition, a VPN server alone in the cloud cannot let you employees have direct secure access to instances or services of VPC in other regions or other clouds.

Aviatrix provides the most comprehensive network solution for the cloud. Combining a policy driven, scale out and Geo aware VPN with encrypted peering and central management console, we provide a complete secure network solution in the cloud for all your admins, developers and employees.

To learn the complete list of capabilities, check out the datasheet.


Comments are closed for this post.

Latest Posts

Aviatrix Now Provides FIPS 140-2 Validated Encryption
By Sam Ghardashem, June 14, 2019

How Aviatrix’s intelligent orchestration and control eliminates unwanted tradeoffs encountered when deploying Palo Alto Networks VM-Series Firewalls with AWS Transit Gateway
By Sam Ghardashem, June 7, 2019

How to Use Aviatrix SD Cloud Routing to Build Azure Networks
By Karthik Balachandran, March 20, 2019

The Cloud in 2019 and Beyond: More of the Same, Only Better
By Steven Mih, December 6, 2018

Understanding AWS VPC Egress Filtering Methods
By Khash Nakhostin, November 14, 2018

Top Tags

Active Directory (AD)Amazon Partner Network (APN)Amazon Virtual Private Cloud (Amazon VPC)Amazon Web Services (AWS)Amazon WorkSpacesApplication VisibilityAviatrix Cloud InterconnectAviatrix ControllerAviatrix FireNetAviatrix Firewall Network ServiceAviatrix FlightPathAviatrix Hosted ServiceAWS Direct ConnectAWS Egress ControlAWS Transit Gateway (TGW)AWS VPNAzure ExpressRouteCasachekChefCiscoCisco Live 2018Cloud Architectscloud burstingCloud ComputingCloud Gatewaycloud governanceCloud MigrationCloud NetworkingCloudOpsCSRDevOpsEgress TrafficElon MuskEnterprise Strategy Group (ESG)FIPS 140-2GartnerGCP Next 16Google Cloud PlatformHub-and-Spoke NetworkHybrid CloudHyperFlex Multi-Cloud EcosystemInternational Data Corporation (IDC)Intrusion Detection System (IDS)Intrusion Preventions Systems (IPS)IPmotionJenkinsMalware DetectionMesh NetworkMicrosoft AzureMulticloudNetworking as a Servicenetworking infrastructureNext Generation Firewalls (NGFW)NiciraNoOpsNutanixNutanix CalmOpenVPN Access ServerPalo Alto NetworksPCI CompliancePci DssPublic CloudPublic Cloud NetworkingPuppetRemote AccessSafeLogicSD Cloud RouterSD-WANSoftware Defined Cloud RoutingSoftware-Defined Cloud RoutersSquidSSL VPN to AWSstorage and computeTransit DMZ Architecturetransit networkTransit VPCURL FilteringUse Casesvalidated encryptionVirtual Cloud NetworkVirtual Desktop Infrastructure (VDI)Virtual RoutersVMwareVNet ConnectivityVPCVPC PeeringVPN