By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS Virtual Private Network (VPN)

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

EC2s Development and Production Environments, Isolation, VPN, API GW, Private and Public Endpoints with RDS and Data Sanitization

Hi Everyone, I have the following idea for an infrastructure architecture in AWS but I believe that I need some help with clarifying several issues which I believe, the best answers to will come from here. I am thinking about the following layout: In production: 1. an EC2 with Apache that provides service portal for web users 2. an RDS for the sake of the portal 3. another EC2 with Apache and business-logic php application as CRM 4. the same RDS will be used by the CRM application as well In development: The same layout, with 1 EC2 for web client services, 1 EC2 for the sake of developing the CRM and an RDS for the data I thought about using two different VPCs for the sake of this deployment. I need data replication with sanitization from the production RDS to the development RDS (thinking either by SQL procedures or other method, didn't think about that yet, but I know I need it to be like that since I have no desire to enable my developers to work with real client data). Both the production and development CRM EC2s are exposing Web APIs Both the production and development service portals are exposing Web APIs Both the production and development CRM and service portal are web accessible For the development environment I want to enable access (Web and Web APIs) only through VPN, hence, I want my developers to connect with VPN clients to the development VPC with VPN and work against both EC2s on-top of that connection. I also want them to be able to test all APIs and thinking about setting an API Gateway on that private endpoint. For the production environment, I want to enable access (Web and Web APIs) to the CRM EC2 through VPN, hence, I want my business units to connect with their VPN clients to a production VPN gateway, and work against the CRM on-top of that connection. I don't want to expose my CRM to the world. For the production environment, I want to enable everyone on the internet (actually, not everyone, I want to Geo-Block access to the service portal, hence, I do believe I need Amazon CDN services enabled for that cause) to access the service portal, still, I want to enable an API Gateway for the Web APIs that are exposed by this service portal EC2. I've been reading about Amazon API gateway (and API Gateway Cache) and it's resource policy and VPC endpoints with their own security groups and Amazon Route 53 resolver for the sake of VPN connections. I also been reading lots about Amazon virtual private gateway and a private and public endpoints, but, I still can't figure-out with element comes to play where and how the interactions should be design for those elements. I believe I also need Amazon KMS for the keys, certificates and passwords, but, I'm still trying to figure out the right approach for the above, so, I'm leaving the KMS part for the end. of course I'm thinking about security at the top of my concerns, so, I do believe all connectivity's should be harden in-between the elements, is only using ACLs is the right way to go!? I would really appreciate the help
asked 3 months ago