Private, zero trust networking between S3 and anywhere, without MPLS/Direct Connect
NetFoundry makes it easy to instantly spin up highly secure, performant, edge-to-cloud networks to AWS over the Internet using our web-based orchestration tools and APIs thereby offering private, zero trust networking to S3.
With NetFoundry, you can extend the connection for private S3 buckets, following a zero-trust and least-privileged-access model of security, to your remote users, branch offices, private datacentres and even other cloud service providers over the internet. This ensures you can build highly secure and performant connectivity in minutes using cloud-native tools without the burden of a direct connect solution.
In this support post, I will describe how to build this connectivity following some simple steps.
PRE-REQUISITES
- NetFoundry desktop edge on Windows / Mac devices of the users. (https://support.netfoundry.io/hc/en-us/articles/360047133551-Create-and-Manage-Endpoints)
- SFTP server as part of the AWS TRANSFER SERVICE (https://aws.amazon.com/about-aws/whats-new/2018/11/aws-transfer-for-sftp-fully-managed-sftp-for-s3/#:~:text=AWS Transfer for SFTP enables,or manage any SFTP servers.&text=With AWS SFTP%2C you pay,and data uploaded and downloaded.) The SFTP server plays the role of providing private access to a S3 bucket that is not public.
- NetFoundry Edge router and the SFTP server (Endpoint) in the same VPC enables users connected to the edge router at AWS via the desktop edge clients to access S3 service
- Users who need to access the S3 bucket would use any kind of a supported file transfer application such as FileZilla, WinSCP etc to access the S3 bucket. The users are authenticated to the S3 bucket via the SFTP endpoint using the IAM roles & policies.
ADD EDGE ROUTERS
CREATE A NETFOUNDRY HOSTED(PUBLIC) EDGE ROUTER IN THE CONSOLE TO ESTABLISH A "FABRIC"
- From the NetFoundry Console left-hand navigation, select Manage Edge Routers.
- In the upper right, click the + sign to add an Edge-Router.
- Give your edge router a name (ex: NetFoundryPublic).
- In the "Select or Create Router Attributes" field, type in "public"
- For "Select a Hosting Type", toggle the "NetFoundry Hosted" option and select a data center region. The regions you select should be somewhere in close to the endpoint location you are planning to use.
- Hit the “Create” button.
- Hit Esc icon in upper right to close the window. Once this router is registered it will accept an outbound fabric connection from the private launched Edge-Router as well as accept connections from clients to access the "Fabric".
https://support.netfoundry.io/hc/en-us/articles/360044956032-Create-and-Manage-Edge-Routers
CREATE A CUSTOMER-HOSTED(PRIVATE) EDGE ROUTER IN THE CONSOLE
- From the NetFoundry Console left-hand navigation, select Manage Edge Routers.
- In the upper right, click the +sign to add an edge-router.
- Give your edge router a name(ex: CustomerPrivate)
- In the "Select or Create Router Attributes" field, type in "private"
- Hit the “Create” button.
- Click on "Registration Key" (this will copy it to your clipboard).
- Hit Escicon in upper right to close the window.
LAUNCH THIS EDGEROUTER IN AWS VIA CLOUDFORMATION
- Subscribe NetFoundry Edge Router in AWS Marketplace and continue to configure.
- Choose your AWS region as the one where you have configured the S3 service.
- Choose “Launch through EC2” to launch your configuration through the Amazon EC2 console and click “Launch”
- Choose VPC for the NetFoundry Edge router same as the SFTP server (Endpoint) for the users connected to the edge router at AWS via the desktop edge clients to access S3 service. Click Create to launch.
EDGE ROUTER POLICY
From the NetFoundry Console left-hand navigation, select Manage EdgeRouters, then select "Manage Edge Router Policies" from the sub menu. This policy will allow a specific endpoint or group of endpoints access to a specific router or group of routers.
- In the upper right, click the +sign to add an Edge-Router Policy.
- Give the Edge Router Policy a name(ex: SFTPS3Policy)
- In the "Edge Router Attributes" section, we will select the NetFoundry Hosted edge Routers.
- In the "Endpoint Attributes" section, we will select the Endpoints which needs to be provided with SFTP access to AWS S3.
- Hit the “Create” button
https://support.netfoundry.io/hc/en-us/articles/360045545171-Create-and-Manage-Edge-Router-Policies
MANAGE SERVICES
- From the NetFoundry Console left-hand navigation, click Manage Services
- In the upper right, click the +sign to add a new Service.
- Give the Service a name(ex: NFAWSS3)
- In the "Service Attributes" section, type in "AWSS3"
- In the "Hosting Strategy" section, we will define how the client is going to "intercept the traffic" first
- In the "Intercept Host Name / IP" field, type in ""
- In the "Port/Range" field, type in "22"
- Toggle the "Native Application SDK Based" toggle to the NO position
- Toggle the radio button to "Endpoint Hosted" and select "CustomerPrivate"
- From the "Protocol" drop-down, select "TCP"
- In the "Host Name / IP" field, enter the internal IP [Private] address for the AWS SFTP Server.
- In the "Port" field, type in "22"
- Click on the "Create"
https://support.netfoundry.io/hc/en-us/articles/360045503311-Create-and-Manage-Services
CREATE APPWAN
- From the NetFoundry Console left-hand navigation, select Manage Services and AppWans, then select "Manage AppWans" from the sub menu.
- In the upper right, click the +sign to add an AppWan.
- Give the AppWan the name 'AWSS3AppWan'
- In the "Service Attributes" section, we will select # AWSS3(this will select all services with that attribute)
- In the "Endpoint Attributes" section, we will select the Endpoints which needs to be provided with SFTP access to AWS S3.
- Click "CREATE" button to create the AppWan
https://support.netfoundry.io/hc/en-us/articles/360045545211-Create-and-Manage-AppWANs
Configuration Snapshots - AWS
File transfer tool for SFTP - WinSCP (can be any supported tool)
Users who need to access the S3 bucket would use any kind of a supported file transfer application such as FileZilla, WinSCP etc to access the S3 bucket. The users are authenticated to the S3 bucket via the SFTP endpoint using the IAM roles & policies.
Comments
0 comments