Page 1 of 1
Access server - public or private subnet?
Posted: Wed Jun 01, 2022 7:57 pm
by jerryv
Is there a recommended best practice on whether an Access Server instance should be deployed to a public subnet vs a private subnet (with elastic IP?) in AWS? Is one preferred, more secure, over the other?
Re: Access server - public or private subnet?
Posted: Thu Jun 02, 2022 11:26 am
by openvpn_inc
Hello jerryv,
As far as I know all AWS EC2 instances are deployed with a private IP. A public IP is simply attached via 1:1 NAT. Regardless we see Access Server deployed on public IPs as well and this is fine. However the good thing about having it on a private IP is the ability to use a firewall to block off any unused ports from the outside world. In AWS world this is called security groups. By default Access Server launches with a security group that allows only the required ports, and this is the safer approach.
An elastic IP is recommended as you can at any time detach and reattach this same public IP to any of your instances. This allows you to for example swap out the EC2 instance if it has an issue while keeping the same public IP to the outside world. It's a minor convenience but could be relevant if you don't have a DNS record set up for the VPN connection. If for example the public IP of your server changes you'd have to either update the DNS record or update all the clients to use the new IP. There's a significant difference in amount of work involved if you have a lot of clients installed and such an IP change were to occur.
Kind regards,
Johan
Re: Access server - public or private subnet?
Posted: Fri Jun 03, 2022 2:23 pm
by jerryv
Johan - thanks for the detailed reply, and elastic IP recommendation!