Scalable and Secure Site-to-Site VPN Setup for Multi-Tenant SaaS on AWS
We are building a multi-tenant application hosted on AWS, and we need to establish secure communication with the on-premise servers of our clients, who are primarily banks. While Site-to-Site VPN is our preferred method for connectivity, provisioning a separate VPC and deploying application nodes for each client does not appear to be a scalable or maintainable approach.
Our proposed solution: We plan to set up Site-to-Site VPN connections based on subnets, using network ACLs and security groups to enforce isolation between clients. For logical separation of data, we maintain separate database schemas for each client.
I would appreciate your feedback on this solution. If there are any other effective or industry-recommended alternatives for achieving this situation, I would like to know.
- Language
- English
asked a year ago188 views
- Newest
- Most votes
- Most comments
It would be intresting to understand more about your application and clients to build a better design.
However, I am Afraid you cant have Site to Site VPNs based on Subnets. What i am thinking is, have a VPC per bank where you have a site to site VPN. You can then have a privatelink Service in each VPC from your SaaS platform VPC.
This keeps your banks network traffic isolated and you will not have any issues with CIDR Range cross over.
Is there a specific constraint for using a VPN-level connectivity solution? This is not a scalable mechanism, that can also introduce security risks to the architecture. Did you consider using an API or another interface for communicating/interacting with the customer environments?
answered a year ago
Relevant content
asked 3 years ago
asked 3 years ago
asked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
