We currently have multiple AWS accounts (Many with overlapping private CIDRs) that don’t need to talk to each other. The things we need to access are mainly EKS clusters whose API endpoints are set to public and private mainly and some are public. The other thing would be bastion hosts that each get their own elastic IPs. I’m looking for a straight forward solution to securely access these resources for a small group of ~10 people. I’d ideally like a static VPN IP that would allow for easy whitelisting on the clusters and bastion hosts. Anything you have tried that works well or any ideas you may have would be appreciated.
Are these users more on the technical side? SSM Portforwarding might be a better, and cheaper option. You can also tie API/CLI access to SAML-based SSO to get a user identity versus having to manage username/passwords.
For 10 people? OpenVPN ec2 instance on public subnet & elastic IP > connect with openVPN client
Take a look at Twingate. Can be installed into EKS and lets you expose even ClusterIP services
SSM was already suggested, so I’ll suggest Cloudflare zero trust.
IIRC, it’s free for 50 users.
The only gotcha you may run into, is if there is a limit on the number of cloudflared tunnels you can have up in your account. (Cloudflared is an agent you install on an instance or container in your environment. You tell Cloudflare what prefix’s are available behind the agent, and then they’ll become accessible to you when using WARP or 1.1.1.1 (mobile app))
Outside of that, it’s awesome. Set it up with an SSO provider for authentication (optional but recommend), create some tunnels and away you go. You even get logging and filtering with it.
Amazing features for the low low price of free. IMO, leaps ahead of OpenVPN.
I am facing the same challenge. I am not suggesting that my method is better than the VPN solution but this is what I do.
In my EKS cluster, I use kubectl with port-forward to private endpoints. That way, I can just log into whatever inside the VPC that EKS is under.
So far, it’s working for me.
OpenVPN is a no brainer however be careful as their pricing is about to increase although still quite good value.
OpenVPN. Amazon’s VPN services is mostly for site to site than EC2 to EC2 and costs 10 cents per hour while Open VPN you are only paying monthly for running the VPN server which is much cheaper.
AWS Client VPN works pretty good for me: AWS Client VPN | Remote access VPN | Amazon Web Services (AWS)
And transit gateway for communications between VPCs if you have many but want to use single VPN endpoint.
+1 SSM is overlooked all the time.
It’s 2023, you usually do not need a bastion host when using cloud providers. SSM allows you to plop into your instances or containers as needed.
You can even get creative, and if what you use SSM to connect to has SSH installed, you can create a reverse SSH tunnel to connect to other resources behind it (such as things that don’t have an SSM agent, like an RDS DB)
I don’t like to put a public IP on something unless it’s required. IP whitelists suuuuccckkk for so many reasons.
So this is the current solution. I haven’t really messed with it much at all, but the API endpoint for the cluster seems to be a continuous issue as the IPs seem to change. This is a split tunnel setup as well. Currently I have to run a command to add the kube API IPs to my local route table to force it over the VPN connection. Not sure if you or anyone else would have a solution for that. I’ve tried looking around online, but couldn’t find anything specific to this issue. I’d be willing to keep this setup if we could work through these problems.
Can RDP, too! So if you really need an Bastion host, you could do it without a public IP
I’m not exactly sure what you want to do in the EKS cluster to begin with so I can’t really give you a good answer.
Why do you need the kube API IPs in your route table? If you whitelist the elastic IP of the bastion host/openvpn server in EKS, you can just grab the context and kubectl will work with that.
The access server package which is the one you probably want to use is not free.
Sorry, yes I am trying to connect to the cluster to run kubectl commands. The elastic IP of the VPN server is added to the whitelist for the EKS cluster. The issue being we don’t route all of the user traffic through this VPN, so the user’s public IP is still unchanged.
Oh, I have no use for that. I would at worst write a script that does the same thing, and it would cost me nothing.
But I understand some non-technical people might struggle with that.
Then this is a vpn setup issue. You can push routes to the clients with openvpn
The paid system is free for two concurrent connections and I doubt your script can do most of the features, for example SAML2 authentication.
I don’t disagree. I guess is there a way to add a route for a url such as CLUSTER-ENDPOINT.us-east-1.eks.amazonaws.com
This way each cluster could be added and hopefully fix this issue
Sure, that’s a use case. I can deploy those features using other means just fine though, without paying for a subscription service and while avoiding vendor lock-in.