Entry a VPC-hosted Amazon OpenSearch Service area with SAML authentication utilizing AWS Consumer VPN

Clients usually need to deploy Amazon OpenSearch Service domains in digital non-public clouds (VPC) and use single sign-on (SSO) with SAML for entry management to reinforce safety. Nevertheless, setting this up might be difficult.

On this put up, we discover completely different OpenSearch Service authentication strategies and community topology concerns. Then we present the best way to construct an structure to entry an OpenSearch Service area hosted in a VPC utilizing AWS Consumer VPN, AWS Transit Gateway, and AWS IAM Id Middle.

Resolution overview

The next diagram illustrates the answer structure.

The tip-user authenticates with IAM Id Middle and connects to the AWS setting from their browser via Consumer VPN. The site visitors is routed from the VPN VPC to the database VPC the place the OpenSearch service endpoints are deployed. The person then authenticates to OpenSearch Service via IAM Id Middle. This structure supplies a scalable, enterprise-grade resolution that avoids utilizing bastion hosts whereas ensuring solely licensed customers can entry your OpenSearch Service domains via a safe VPN connection. Within the following sections, we stroll via the steps to arrange IAM Id Middle, configure Transit Gateway to facilitate communication between VPCs, and configure SAML-based authentication utilizing IAM Id Middle for each OpenSearch Service and VPN entry. Prior expertise establishing Consumer VPN, IAM Id Middle, and Transit Gateway can be helpful however is just not essential to comply with together with this put up.

OpenSearch Service authentication strategies and SAML

OpenSearch Service helps a number of authentication strategies. You should use AWS Id and Entry Administration (IAM) to name the OpenSearch Service configuration API (for particulars, see Making and signing OpenSearch Service requests). Nevertheless, this doesn’t offer you entry to the visible dashboard. To entry the visible dashboard and name the OpenSearch Service configuration API, you should utilize the OpenSearch Service built-in inside person database or Amazon Cognito for authentication and person administration options. Nevertheless, these choices use separate person swimming pools, which provides extra safety and administration overhead when including and eradicating customers.

Subsequently, many purchasers select to make use of SAML federation to combine OpenSearch Service authentication with their current identification suppliers like Entra ID, Okta, or JumpCloud. For this put up, we use the IAM Id Middle listing as our identification supply. One limitation of this strategy is that it solely helps identification provider-initiated authentication. Which means customers should log in via the IAM Id Middle portal after which entry their OpenSearch Service dashboard from there.

Non-public community topology choices for OpenSearch Service

When deploying OpenSearch Service domains in a personal VPC, organizations should set up safe and dependable community connectivity to entry their OpenSearch Service domains. AWS presents a number of networking options that may be applied individually or together to fulfill particular entry necessities. These choices embody Transit Gateway for centralized community administration, AWS Direct Join or AWS Website-to-Website VPN for on-premises connectivity, and Consumer VPN for safe distant entry. Every resolution supplies distinctive advantages and might be mixed to fulfill completely different organizational wants, safety necessities, and efficiency expectations.

AWS Transit Gateway

Transit Gateway capabilities as a cloud router that simplifies community connectivity by performing as a central hub for connecting VPCs and on-premises networks. Implementing Transit Gateway with OpenSearch Service permits consolidated entry to your OpenSearch Service area throughout a number of VPCs and AWS accounts. Via Transit Gateway route tables, you possibly can exactly management site visitors move between hooked up networks. It helps transitive routing between VPCs and on-premises networks, considerably decreasing the variety of peering connections wanted to entry your OpenSearch Service area. This centralized strategy is a typical sample utilized by prospects, which makes community administration scalable as your infrastructure grows.

AWS Consumer VPN

With Consumer VPN, you possibly can securely entry your non-public OpenSearch Service area via a managed OpenVPN-based resolution. Utilizing Consumer VPN removes the necessity to use a bastion host or proxy server to entry an OpenSearch Service area, decreasing your administration burden and enhancing safety. Consumer VPN helps each certificate-based and SAML-based authentication. Consumer VPN endpoints might be related to a number of subnets to supply excessive availability. The service consists of complete security measures equivalent to connection logging and safety group controls.

For extra info on VPC connectivity choices, confer with the AWS Direct Join whitepaper.

Combining Consumer VPN with Transit Gateway supplies a scalable and versatile strategy to entry an OpenSearch Service area in a personal VPC. Within the subsequent sections, we stroll you thru the best way to combine the assorted providers.

Stipulations

If you happen to haven’t but arrange IAM Id Middle, confer with Allow IAM Id Middle to allow it. Each group situations and account situations will work. The Id Middle occasion have to be deployed in the identical AWS Area as your OpenSearch Service area.

After you arrange IAM Id Middle, full the next steps to create an IAM Id Middle group:

1. On the IAM Id Middle console, select Teams within the navigation pane.
2. Select Create group and create a gaggle (for this instance, we identify the group vpn_users.
3. After you create the group, select the group identify to open its particulars web page.
4. Find the group ID underneath Normal info. Save this in a textual content editor.
   
   
5. Create a person (or a number of customers) and assign them to the vpn_users group. This may be finished instantly via the person creation move or after creating the person.

Arrange the preliminary community topology

For this put up, we use the community topology proven within the following diagram. One VPC hosts the consumer VPN endpoint with CIDR vary 10.0.0.0/16 and a separate VPC with CIDR vary 10.1.0.0/16 that hosts our OpenSearch Service nodes. The 2 VPCs are linked with Transit Gateway. The CIDR ranges in your setting might fluctuate. The one requirement is that they will’t overlap.

Full the next steps to create the 2 VPCs utilizing Amazon Digital Non-public Cloud (Amazon VPC):

1. On the Amazon VPC console, select Create VPC.
2. Select VPC and extra.
3. For this put up, identify the VPC VPN-VPC and use 10.0.0.0/16 for the IPv4 CIDR block.
4. Select 3 for the variety of Availability Zones.
5. Select 0 for the variety of public subnets.
6. Select 3 for the variety of non-public subnets.
7. Select None for the variety of NAT gateways.
8. Select None for the variety of VPC endpoints.
   
   
9. Repeat these steps to create the second VPC for the OpenSearch Service area. Maintain the identical configuration settings apart from the next:
   1. Identify: Database-VPC
   2. IPv4 CIDR Block: 10.1.0.0/16

Configure Transit Gateway

Comply with the directions in Create an AWS Transit Gateway utilizing the Amazon VPC Console to create a transit gateway and fasten your VPCs to it.

Subsequent, you will need to replace every VPC route desk to facilitate connectivity to the OpenSearch Service area.

1. On the Amazon VPC console, select Route tables within the navigation pane.
2. For VPN-VPC, add routes on the subnets the place the Consumer VPN endpoints are hooked up. The route is 10.1.0.0/16 utilizing Transit Gateway. This route permits VPN customers to succeed in Database-VPC.
   
   
3. For Database-VPC, add routes on the subnets of the OpenSearch Service area endpoint. The route is 10.0.0.0/16 utilizing Transit Gateway. This route permits responses from Database-VPC again to succeed in the VPN customers.
   
   

   Subsequent, you will need to replace the Transit Gateway Safety Group Referencing assist configuration. This enables the OpenSearch Service area’s safety group to open port 443 to solely the Consumer VPN safety group. This makes making use of least privilege easier.

4. On the Transit Gateway console, choose the transit gateway you’re utilizing.
5. On the Actions menu, select Modify transit gateway.
   
   
6. Choose Safety Group Referencing assist and select Modify transit gateway.
   
   

Configure Consumer VPN authentication

Consumer VPN might be related to a number of VPC subnets for prime availability. Consumer VPN helps a number of consumer authentication strategies. For this put up, we use SAML-based authentication with IAM Id Middle.

To arrange SAML-based authentication with IAM Id Middle, comply with the directions within the following sections. For extra particulars, confer with Authenticate AWS Consumer VPN customers with AWS IAM Id Middle. Deploy and affiliate the Consumer VPN endpoint with VPN-VPC.

Configure Consumer VPN entry to database VPC

Through the preliminary setup of the Consumer VPN endpoint, you outlined authorization guidelines that licensed the VPN_users group to entry the VPN-VPC community, which is 10.0.0.0/16.Full the next steps so as to add connectivity to database-VPC:

1. On the Amazon VPC console, select Consumer VPC endpoints within the navigation pane.
2. Choose the endpoint you created.
3. Within the Authorization guidelines part, select Add authorization guidelines.
   
   
4. For Vacation spot community to allow entry, enter 10.1.0.0/16 (that is the database VPC).
5. For Grant entry to, choose Permit entry to all customers.
6. Select Add authorization rule.
   
   

   After you create the authorization rule, the person now has entry to that CIDR vary. Subsequent, you add an entry within the Consumer VPN endpoint’s route desk to supply reachability from a community perspective.

7. On the Consumer VPN endpoints web page, choose the endpoint you simply created.
8. Within the Route desk part, select Create route.
   
   
9. For Route vacation spot, enter the CIDR vary for Database-VPC (10.1.0.0/16).
10. For Subnet ID for goal community affiliation, select a subnet ID.
11. Select Create route.
    
    

You need to see the brand new route within the “Creating” state. After it has reached the “Energetic” state, VPN customers can have a community path to the database VPC to have the ability to attain the OpenSearch Service area.

Configure Consumer VPN utility in your consumer

Full the next steps to configure the Consumer VPN utility to your consumer:

1. Obtain the related installer for Consumer VPN for Desktop and set up Consumer VPN.
2. Obtain and put together the Consumer VPN endpoint file.
3. Open the Consumer VPN utility.
4. Select Handle Profile, then select Add Profile.
5. Enter a show identify and add the VPN configuration file.
6. Select Add Profile.

Arrange federation with IAM Id Middle with OpenSearch Service

Full the next steps to arrange federation with IAM Id Middle with OpenSearch Service:

1. Create an OpenSearch Service area within the database VPC.
2. Arrange the SAML integration between OpenSearch Service and IAM Id Middle. Assign the identical teams that you simply assigned to the VPN customized utility to the OpenSearch Service customized utility.
3. Modify the safety group related to the OpenSearch Service area to permit entry from the Consumer VPN subnet.
4. Modify the safety group of Consumer VPN and add the next entry:
   1. Sort: HTTPS
   2. Supply: Use Customized and reference the safety group of the OpenSearch Service area

Take a look at the end-to-end move

Now you possibly can take a look at your complete move end-to-end:

1. Run Consumer VPN in your native machine. Use the profile that you simply beforehand configured.
   
   The consumer will immediate you to authenticate with IAM Id Middle. After authentication, you will note the message “Authentication particulars acquired, processing particulars. You might shut this window at any time.”
2. Entry your IAM Id Middle entry portal URL (this may be discovered on the IAM Id Middle console, underneath Dashboard). Check in as a person that has been assigned to the OpenSearch Service customized utility within the earlier step.
3. After authentication, select the Functions tab in AWS Entry Portal and select the OpenSearch Service utility.

This could redirect you to the OpenSearch Service Dashboards web page with the function that you simply assigned.

Clear up

After you take a look at the answer, delete the assets you created to keep away from incurring future prices:

1. Delete the OpenSearch Service area and the SAML utility, customers, and teams in IAM Id Middle.
2. Delete the consumer VPN endpoints that you simply created and take away the routing guidelines from Transit Gateway.

Conclusion

On this put up, we mentioned the networking choices for securely accessing an OpenSearch Service area deployed in a personal VPC via providers like Transit Gateway, Consumer VPN, and Website-to-Website VPN. We additionally mentioned the best way to use IAM Id Middle for authentication and authorization, serving to you simplify identification administration for OpenSearch Service. If in case you have suggestions about this put up, present it within the feedback part.

In regards to the authors