Client to site vpns are an integral part of modern infrastructure for establishing access to internal private systems with secure and seamless connectivity - these are the two most critical factors that will help you decide which vpn client services to choose from the number of options available in both managed and self-managed formats.
Compromising on either of these will lead to impact security and scalability of your entire software infrastructure and even impact development and delivery of it.
AWS Client VPN and Self-Managed OpenVPN Access Server are two popular solutions, each with its own set of features, advantages, and drawbacks. In this article, we will explore the strengths and weaknesses of both to help you make an informed decision based on your organisation's specific needs.
While AWS Client VPN offers a managed solution with advanced features and scalability, Self-Managed OpenVPN Access Server might be a suitable choice for smaller-scale deployments or development phases.
Understanding your organisation's current and future needs is key to making an informed decision in the realm of client-to-site VPNs.
AWS Client VPN with SSO_SAML:
Pros | Cons |
User Onboarding and Off-boarding: AWS Client VPN simplifies the onboarding and off-boarding processes for new and departing users, providing efficiency in managing access. | Manual SSO SAML Setup: The setup for SSO with SAML is still a manual process, lacking an automated API. However, this is an area where improvements are anticipated in future releases. |
SSO with MFA Enhances Security: The inclusion of Single Sign-On (SSO) with Security Assertion Markup Language (SAML) and Multi-Factor Authentication (MFA) ensures a robust security posture, safeguarding against unauthorised access. | User Onboarding Email: Automated emails for new user onboarding are not a part of the current setup. Users must utilise the "forgot password" feature to establish their credentials. |
Multi-AZ Support:The multi-Availability Zone (AZ) support ensures high availability, reducing the risk of downtime and ensuring continuous access for users. | |
Flexible Pricing: AWS Client VPN adopts a flexible pricing model based on usage, eliminating the need for static instances and providing cost efficiency. The pricing structure, at $0.10 per hour for endpoint association and $0.05 per hour for each connection, allows organisations to pay for what they use. | |
No License Procurement Hassles: Unlike some self-managed solutions, AWS Client VPN does not require organisations to navigate through the complexities of license procurement and renewal. |
Self-Managed OpenVPN Access Server:
Pros | Cons |
Single Instance Fully Automated Setup: OpenVPN Access Server offers a fully automated setup for a single instance, making it straightforward for internal user connectivity. | No High Availability (H/A): One notable drawback of the self-managed solution is the absence of high availability. In a production environment where uptime is critical, this limitation may pose challenges. |
Default 2 Free Users: Out of the box, OpenVPN Access Server allows for two free users, providing a cost-effective option for small teams or organisations with minimal requirements. | Internal User Management: Internal user management may require additional scripting, introducing complexity compared to more user-friendly, managed alternatives. |
Yearly License Renewal and Upgrades: The necessity for yearly license renewal and upgrades can be a hindrance, especially in dynamic environments where employee scaling is a regular occurrence. | |
System Backup Needed: To preserve users or facilitate system upgrades, manual instance backup becomes necessary, adding an extra layer of management overhead. |
Summary:
In assessing the two solutions, it becomes evident that both AWS Client VPN and Self-Managed OpenVPN Access Server have their places in different scenarios.
AWS Client VPN excels in scenarios where:
Ease of Accessibility is Crucial: Particularly in production environments where high availability is non-negotiable.
Scalability is a Concern: The managed service eliminates the burden of managing certificates and associated costs.
Federated Authentication is Preferred: Leveraging federated authentication ensures a seamless and secure user experience.
Self-Managed OpenVPN Access Server may be suitable for:
Initial Development or MVP Phases: Especially when the emphasis is on simplicity and cost-effectiveness during the early stages.
Small Teams or Low User Requirements: The default provision of two free users makes it an attractive option for organisations with minimal user needs.
In conclusion, the choice between AWS Client VPN and Self-Managed OpenVPN Access Server hinges on the specific requirements and priorities of your organisation.
If you like this article, I am sure you will find the 10-Factor Infrastructure even more useful. It compiles all these tried and tested methodologies, design patterns & best practices into a complete framework for building secure, scalable and resilient modern infrastructure.
Don’t let your best-selling product suffer due to an unstable, vulnerable & mutable infrastructure.
Thanks & Regards
Kamalika Majumder
Comments