Hello, at my company we have resources in two major clouds (AWS and Azure), plus on prem.
Right now, RAvpn is terminated on a ASA HA pair on prem and tunneled to AWS and Azure via IPSEC.
We are planning to terminate the vpn in the cloud, while retaining access to the aforementioned resources. Reason is, most of our users traffic goes to the cloud and we want the user to access the closest regional VPN gateway. Anyconnect is preferrable to reduce the administrative burden (namely, we have Anyconnect and would rather not have to migrate).
The Cisco proposed solution consists of several ASAv deployed in AWS and Azure, next to a dedicated HA pair on prem (https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-mobility/secure-remote-worker-design-guide.pdf page 16). While this would work, it appears to present a substantial management overhead. Additionally, connectivity is not via a single point of access: one gw for on prem, one for AWS, one for Azure. This requires the user to connect to the right gw based on destination.
What I envision:
- user connects via Anyconnect to vpn.mycompany.com, ends up on the closest gateway via geolocation
- user is Authenticated (in our case via Azure AAD)
- user is Authorized: gets assigned Access Packages via Azure AD and is able to access only specific resources based on the access packages assigned (AWS only, AWS+On Prem, etc.)
- user traffic is routed to Azure, AWS, on prem transparently (via IPSec or whatever from vpn.mycompany.com to the other vpcs)
I guess this can be done by setting up say an AWS cloud transit of some sort with multiple cloud gateways (ASAv) - loosely based on Cisco's document above - and IPsec to on prem/Azure.
Is there a service doing this transparently? From my understanding, zscaler with private access does, but it's more of a proxy and it would require all company clients to be provided a different software.
I did expect Cisco Umbrella with SWG to offer exactly this, but I see no transparent bridging to AWS and Azure.
Feel free to tell me this is a silly idea or that I am totally missing the point. This is uncharted territory for me, being an old school on-prem vpn chap. Thanks!
No comments:
Post a Comment