Securing Your S3 Bucket with NetFoundry

Private, zero trust networking between S3 and anywhere, without MPLS/Direct Connect

NetFoundry makes it easy to instantly spin up highly secure, performant, edge-to-cloud networks to AWS over the Internet using our web-based orchestration tools and APIs thereby offering private, zero trust networking to S3.

With NetFoundry, you can extend the connection for private S3 buckets, following a zero-trust and least-privileged-access model of security, to your remote users, branch offices, private datacentres and even other cloud service providers over the internet. This ensures you can build highly secure and performant connectivity in minutes using cloud-native tools without the burden of a direct connect solution.

 In this support post, I will describe how to build this connectivity following some simple steps.

Solution_Architecture.png

 

PRE-REQUISITES

ADD EDGE ROUTERS

CREATE A NETFOUNDRY HOSTED(PUBLIC) EDGE ROUTER IN THE CONSOLE TO ESTABLISH A "FABRIC"

NFHER.jpg

  1. From the NetFoundry Console left-hand navigation, select Manage Edge Routers.
  2. In the upper right, click the + sign to add an Edge-Router.
  3. Give your edge router a name (ex: NetFoundryPublic).
  4. In the "Select or Create Router Attributes" field, type in "public"
  5. For "Select a Hosting Type", toggle the "NetFoundry Hosted" option and select a data center region. The regions you select should be somewhere in close to the endpoint location you are planning to use.
  6. Hit the “Create” button.
  7. Hit Esc icon in upper right to close the window. Once this router is registered it will accept an outbound fabric connection from the private launched Edge-Router as well as accept connections from clients to access the "Fabric".

https://support.netfoundry.io/hc/en-us/articles/360044956032-Create-and-Manage-Edge-Routers

CREATE A CUSTOMER-HOSTED(PRIVATE) EDGE ROUTER IN THE CONSOLE

CER.png

  1. From the NetFoundry Console left-hand navigation, select Manage Edge Routers.
  2. In the upper right, click the +sign to add an edge-router.
  3. Give your edge router a name(ex: CustomerPrivate)
  4. In the "Select or Create Router Attributes" field, type in "private"
  5. Hit the “Create” button.
  6. Click on "Registration Key" (this will copy it to your clipboard).
  7. Hit Escicon in upper right to close the window.

LAUNCH THIS EDGEROUTER IN AWS VIA CLOUDFORMATION

  1. Subscribe NetFoundry Edge Router in AWS Marketplace and continue to configure.
  2. Choose your AWS region as the one where you have configured the S3 service.
  3. Choose “Launch through EC2” to launch your configuration through the Amazon EC2 console and click “Launch”
  4. Choose VPC for the NetFoundry Edge router same as the SFTP server (Endpoint) for the users connected to the edge router at AWS via the desktop edge clients to access S3 service. Click Create to launch.

EDGE ROUTER POLICY

ER_Policy.png

From the NetFoundry Console left-hand navigation, select Manage EdgeRouters, then select "Manage Edge Router Policies" from the sub menu. This policy will allow a specific endpoint or group of endpoints access to a specific router or group of routers.

  1. In the upper right, click the +sign to add an Edge-Router Policy.
  2. Give the Edge Router Policy a name(ex: SFTPS3Policy)
  3. In the "Edge Router Attributes" section, we will select the NetFoundry Hosted edge Routers.
  4. In the "Endpoint Attributes" section, we will select the Endpoints which needs to be provided with SFTP access to AWS S3.
  5. Hit the “Create” button

https://support.netfoundry.io/hc/en-us/articles/360045545171-Create-and-Manage-Edge-Router-Policies

MANAGE SERVICES

Services.png

  1. From the NetFoundry Console left-hand navigation, click Manage Services
  2. In the upper right, click the +sign to add a new Service.
  3. Give the Service a name(ex: NFAWSS3)
  4. In the "Service Attributes" section, type in "AWSS3"
  5. In the "Hosting Strategy" section, we will define how the client is going to "intercept the traffic" first
  6. In the "Intercept Host Name / IP" field, type in ""
  7. In the "Port/Range" field, type in "22"
  8. Toggle the "Native Application SDK Based" toggle to the NO position
  9. Toggle the radio button to "Endpoint Hosted" and select "CustomerPrivate"
  10. From the "Protocol" drop-down, select "TCP"
  11. In the "Host Name / IP" field, enter the internal IP [Private] address for the AWS SFTP Server.
  12. In the "Port" field, type in "22"
  13. Click on the "Create"

https://support.netfoundry.io/hc/en-us/articles/360045503311-Create-and-Manage-Services

CREATE APPWAN

APPWAN.png

  1. From the NetFoundry Console left-hand navigation, select Manage Services and AppWans, then select "Manage AppWans" from the sub menu.
  2. In the upper right, click the +sign to add an AppWan.
  3. Give the AppWan the name 'AWSS3AppWan'
  4. In the "Service Attributes" section, we will select # AWSS3(this will select all services with that attribute)
  5. In the "Endpoint Attributes" section, we will select the Endpoints which needs to be provided with SFTP access to AWS S3.
  6. Click "CREATE" button to create the AppWan

https://support.netfoundry.io/hc/en-us/articles/360045545211-Create-and-Manage-AppWANs

Configuration Snapshots - AWS

AWS_S3-1.png

 

AWS_S3-2.png

 

File transfer tool for SFTP - WinSCP (can be any supported tool)

Users who need to access the S3 bucket would use any kind of a supported file transfer application such as FileZilla, WinSCP etc to access the S3 bucket. The users are authenticated to the S3 bucket via the SFTP endpoint using the IAM roles & policies.

SFTP1.png

SFTP2.png

SFTP3.png

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.