InfusionPoints' XccelerATOr Public Applications in Private Networks
InfusionPoints’ XccelerATOr uses a dedicated AWS account, labelled “Transit”, as a boundary cloud access point (BCAP). This account contains a Virtual Private Cloud (VPC) running IPv4 and provides access to and from endpoints outside of the boundary with an Internet Gateway for all accounts within the boundary, by use of a Transit Gateway that each account’s VPC attaches to. Applications running within the boundary that need to be accessible from outside require a specific Elastic Load Balancer configuration to become reachable while maintaining end-to-end encryption. To achieve this, the necessary AWS resources are configured as follows.
- The Production account hosting the application servers, has a private Network Load Balancer (NLB).
- The NLB is configured with a TLS listener having an AWS Certificate Manager (ACM) certificate attached. This certificate is public and does not match any internal server DNS names. It is only used for traffic encryption. The security policy associated with the listener enforces use of TLSv1.2 only.
- The NLB’s target group contains the application instances and points to the listening TCP port of the application serving TLS connections.
- The Transit account hosts the public Application Load Balancer (ALB).
- The ALB is configured with an HTTPS listener having an AWS Certificate Manager (ACM) certificate attached. This certificate matches the public DNS alias record that resolves to the ALB’s DNS name. The security policy associated with the listener enforces use of TLSv1.2 only.
- The ALB’s target group contains the IP addresses of the private NLB and port that is configured on the NLB TLS listener.
This configuration ensures that the Virtual Private Cloud within the account hosting the application has no direct connection to outside of the boundary and all network traffic between each node is encrypted using the TLSv1.2 protocol.
For more information or demonstration on how InfusionPoints’ XccelerATOr can help your team meeting FedRAMP or DoD SRG requirements, contact us at firstname.lastname@example.org