Decide on Client VPN Options
Context and Problem Statement
You need to remotely access resource that reside in a private VPC. Different teams or individuals need access to different resources.
Solution
Use AWS Client VPN for remote user access.
Considered Options
Each option below can be integrated with AWS SSO.
Option 1: Deploy 1 Client VPN in the Network Account
on the VPN should have access to all network services via the Transit Gateway.
Ideal for companies where one team will require access to all accounts and there are no plans to introduce access for other teams.
Pros
-
Anyone on the VPN has access to all network services via the Transit Gateway
-
Least expensive to operate
-
No need to switch networks once connected to VPN
Cons
- Total access to every account
Option 2: Deploy Multiple Client VPNs Depending on Network Segments in the Network Account
Ideal for companies where certain teams require segmented access to multiple accounts. We define these accounts as a segment.
Pros
- More access control options
Cons
-
More expensive to operate
-
Deciding on how to segment the network can be a complex decision
-
Requires switching VPNs when accessing another account. This is more disruptive to developer workflows
Option 3: Deploy Client VPN(s) Directly in the Accounts Needed
This is a requirement when you know you need very granular access controls with restricting access to certain accounts.
Pros
- Highest level of access control to each account.
Cons
-
Most expensive to operate and grows as more accounts are added
-
Requires switching VPNs when accessing another account. This is the most disruptive path to developer workflows.