Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider VPC Endpoints #1

Open
jhmartin opened this issue Apr 19, 2020 · 2 comments
Open

Consider VPC Endpoints #1

jhmartin opened this issue Apr 19, 2020 · 2 comments

Comments

@jhmartin
Copy link

Consider using VPC Endpoints instead of VPC Peering for cases when Vault does not need to connect back to the source VPC or across regions. VPC Peering requires that the IP spaces be unique and exposes both sides to any potential security weaknesses in the opposite side. VPC Endpoints expose just the desired application and avoid IP conflict issues.
@jcolemorrison
Copy link
Owner

Oh nice, I like this idea! Let me explore adding it on the code and automation side of things. I'll post updates after I've done so. Thanks for the feedback! 😀

@jcolemorrison
Copy link
Owner

jcolemorrison commented Apr 30, 2020
edited
Loading

Just an update here - although I haven't been able to dig into setting up endpoints, I did add encryption between the load balancer and vault instances. Originally I didn't think as many folks would be interested in the VPC peering option, so I terminated TLS at the load balancer for savings and simplicity. However, the traffic and health checks between them all happen via HTTPS.

The Vault Instances' firewall only allow 8200 traffic from the load balancer, 8201 traffic from each other, and optionally SSH traffic from the Vault Bastion ONLY IF operator_mode = true. Traffic between Dynamo and KMS (and the Vault Instances) all also happen over HTTPS as well. Meaning that unless you have services / instances in your other private VPCs intentionally trying to party with the vault deployment resources, it should be good to go.

A couple of notes:

  1. I still like and will continue researching a VPC endpoint version for the project.

  2. Although IP conflicts CAN happen with VPC Peering, that's only if the AWS account has used up all of the RFC 1918 addresses available (or plans to). If that's the case, using multiple AWS accounts is the better approach. That said, the vault deployment only carves out 4096 IPs by default, and could honestly do with even less. The point being that amongst the 17 million+ IPs available to any account's VPC, most users shouldn't have to worry about the problem.

  3. The only other area of potential vulnerability, with respect to VPC peering, is the DynamoDB endpoint. Right now it is open to any thing on the private routing table. An endpoint policy can lock this down and I plan to put that in next. However, the DynamoDB table IS protected via IAM roles so it's not as if it's completely open. (edited)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhmartin @jcolemorrison