Yes, you can have VPN endpoints to your VPC, where the other end is in whatever external network you want.
And if you don't want any external communication at all (barring your VPN), just remove the 'IGW' from your VPC (or make a new VPC without one). Or modify the VPC's routing tables. Or don't assign any public IPs to anything in the VPC. Or probably a few other methods :)
It'd definitely be possible although, if you're not already using a VPN, I doubt it'd be easier. You could do it a few ways, but the gist would be running the VPN endpoint and the web app in the "same place" (same machine, same network, etc.) and restrict access to the web app from anywhere else.
There are also benefits to running your VPN endpoint on your network gateway - otherwise it can be difficult to configure routing tables to allow a user connecting from outside the network to access both internal and Internet IPs from the tunnel endpoint.
As mentioned in the footnote, this can be done by using PrivateLink; it costs a few bucks too, but it is the way to go if your VPC does not (or must not, for Compliance™ reasons) have internet connectivity.
If your target VPC has neither PrivateLink nor public IPv4 connectivity somewhere, I'm not sure how that would work; I'd love to learn how that was built.
Yes. I just provided simplified firewall rules in my answer (notice i didn't provide whitelisted DNS rules either).
You also need to whitelist either the VPN endpoint itself (and add a route to that endpoint) or you need to whitelist the process (such as wireguard or openvpn) that hits that endpoint.
Not sure how a DHCP server is relevant in the slightest here except for the initial host network config of course. But the host network should already be configured before the VPN comes up.
Source: i've implemented this dozens of times (and you probably have too, it sounds like) so let's not quibble over the details ;)
As you say, it's a big question. But one way to start is by integrating this _within your VPN_ such that network access + credentials alone are not enough. With Boundary you could do this by setting up firewalls on the end hosts to only allow ingress from Boundary worker nodes.
Eventually you can migrate towards Boundary nodes (or similar technologies) being the public ingress instead of a VPN endpoint.
(Edit: clarified that I meant firewalls on the end hosts, not on the VPN or elsewhere in the network.)
Of course you can. Look up VPN routing / split tunneling. It’s not uncommon for corporate VPNs to only route intranet traffic for instance; and LAN is usually whitelisted.
Yes, if by "connected to a VPN" you mean two things:
1. You are connected to a trusted network via a VPN protocol. A trusted network might be your home network, a network you operate at a data center, or a network you operate at a cloud provider such as AWS or Azure.
2. You are not using split-tunneling, which is surprisingly common with some VPN clients. Split-tunneling will only send traffic destined for the remote network's address space to the VPN endpoint, sending all other traffic to the local network's gateway (in this case, the rogue router). You will want to disable split-tunneling in order to send all traffic to the VPN endpoint.
It has become popular to refer to connecting to a third-party proxy service that uses VPN protocols as "connecting to a VPN," but if you do that, you are putting your trust in a third-party vendor of proxy services. IMO it's superior to just operate your own private network using a more trustworthy data center or cloud provider.
Currently my implementation only has 1 VPN endpoint per 'location' so the other devices still need to get their IP some way else (DHCP/router advertisement). Since my network is not that large layer2 is doable and i'm trying to see where I hit practical limits.
What value is added by using a separate VPC? Equivalent restrictions can more easily be done with security groups, including on the outbound networking
Yes. I use source routing to run my DNS through the VPN, but end devices go direct because too many streaming services or sites like Wikipedia ban VPN IPs.
And if you don't want any external communication at all (barring your VPN), just remove the 'IGW' from your VPC (or make a new VPC without one). Or modify the VPC's routing tables. Or don't assign any public IPs to anything in the VPC. Or probably a few other methods :)
reply