AWS Verified Access for Accessing Internal Applications without VPN
In this post, I will explain how we can use AWS Verified Access to access an application without requiring a VPN.
Use Case
We have an internal application that runs on a private subnet and is accessible only through a VPN. We want to enable users to securely access this application from the internet without requiring a VPN.
Prerequisites
- Enable the AWS IAM Identity Center in the AWS Region that you are working in.
- An application running behind an internal load balancer.
- Domain name
Steps
- Configure a trust provider
- Create a Verified Access instance
- Attach trust provider to the instance
- Create a Verified Access Group
- Create a Verified Access endpoint for the application
- Configure DNS
- Testing
Configure a Trust Provider
A trust provider is a service that provides information about users and devices. AWS Verified Access supports both AWS and third-party trust providers. In this example, we use “AWS IAM Identity Center” as the trust provider. Therefore, users created in the IAM Identity Center will be able to access the application.
resource "aws_verifiedaccess_trust_provider" "provider" {
description = "${var.app_name} trust provider"
policy_reference_name = var.policy_reference_name
trust_provider_type = "user"
user_trust_provider_type = "iam-identity-center"
tags = {
Name = "IAM"
}
}policy_reference_name: We can refer to this when we write policies.
Create a Verified Access Instance
An AWS Verified Access instance is an AWS resource that manages the trust providers and Verified Access groups.
resource "aws_verifiedaccess_instance" "instance" {
description = "${var.app_name} instance"
tags = {
Name = var.app_name
}
}
Attach Trust Provider to the Instance
resource "aws_verifiedaccess_instance_trust_provider_attachment" "attachment" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.instance.id
verifiedaccess_trust_provider_id = aws_verifiedaccess_trust_provider.provider.id
}
Create a Verified Access Group
An AWS Verified Access group is a collection of Verified Access endpoints and a group-level Verified Access policy. In this example, we use a simple policy that checks the format of an IAM user’s email address.
resource "aws_verifiedaccess_group" "group" {
verifiedaccess_instance_id = aws_verifiedaccess_instance.instance.id
policy_document = <<EOT
permit(principal, action, resource)
when {
context.IAM.user.email.address like "*@gmail.com"
};
EOT
tags = {
Name = var.app_name
}
depends_on = [
aws_verifiedaccess_instance_trust_provider_attachment.attachment
]
}In context.IAM.user.email.address, IAM refers to the policy reference defined in step one.
Create a Verified Access Endpoint for the Application
A Verified Access endpoint is a regional resource that defines the application for which Verified Access grants access. In this example, AWS Verified Access grants access to an ECS application running behind an internal load balancer.
resource "aws_verifiedaccess_endpoint" "access_endpoint" {
description = "${var.app_name} access endpoint"
application_domain = var.application_domain
verified_access_group_id = aws_verifiedaccess_group.group.id
attachment_type = "vpc"
domain_certificate_arn = var.domain_certificate_arn
endpoint_domain_prefix = var.endpoint_domain_prefix
endpoint_type = "load-balancer"
load_balancer_options {
load_balancer_arn = var.load_balancer_arn
port = var.load_balancer_listener_port
protocol = var.load_balancer_listener_protocol
subnet_ids = var.subnet_ids
}
security_group_ids = var.security_group_ids
tags = {
Name = var.app_name
}
}
Configure DNS
In this step, we need to create a CNAME record to map our public domain name to the verified access domain. You can find the verified access domain name on the ‘Verified Access endpoints’ details page. Once you create the CNAME record, all requests to the application will be directed to the Verified Access.
module "route53_records" {
source = "terraform-aws-modules/route53/aws//modules/records"
version = "~> 2.0"
zone_id = var.zone_id
records = [
{
name = "app"
type = "CNAME"
ttl = 5
records = [aws_verifiedaccess_endpoint.access_endpoint]
}
]
}Testing
You can download the complete project from this repository. Before applying the Terraform, ensure you update the DNS “zone_id’ and domain_ name parameters in the main.tf file.
Enter your application’s domain name into your web browser. Then, follow the authentication steps. If everything is successful, you will see the web page below.
Some Limitations
- Currently, AWS Verified Access does not support ACM certificates with the key algorithm “ECDSA P 256”.
