Iframely, an all-remote SaaS business was looking for a convenient but secure way to protect their staging environment that wouldn’t require modifying the application itself thereby making it different from the live version. They were using HTTP Basic authentication which proved quite cumbersome as it required sharing credentials between all team members (including temporary ones).
They’ve deployed IP-based access restriction and use zenVPN dedicated servers to connect to their staging application as well as a certain back-office application from a fixed set of IP addresses.
It was also important for them not to instill blanket traffic routing rules on their team members as most of them use their private hardware for work and some are independent contractors who would not accept this level of client’s control over their machine. Using split tunneling allowed to easily address this as only project-related traffic was routed via VPN.
Finally, the company chose to add an extra security layer by also implementing IP whitelisting on their bastion host which they use for ssh access to their application servers.
Implementation
For the staging and the back-office application, the IP restriction was implemented using Nginx ngx_http_access_module module:
allow: "{{ shield_ips }}"
deny: all
For the bastion host the restriction was implemented using AWS security groups:
resource "aws_security_group" "bastion" {
name = "bastion"
vpc_id = aws_vpc.main.id
ingress {
description = "SSH from Internet"
protocol = "tcp"
from_port = 22
to_port = 22
cidr_blocks = shieldIps
ipv6_cidr_blocks = shieldIpv6s
}
}
Conclusion
Using zenVPN with IP-based access restrictions provided this company an unobtrusive way to manage access to their staging and back-office applications and allowed them to focus on the development of their core offerings.