The AppStream 2.0 VPC is an AWS-owned VPC where the AppStream 2.0 maintains its infrastructure. There are three VPCs shown: AppStream 2.0 VPC, Bastion host VPC, and application VPC. The diagram below depicts a high-level AppStream 2.0 architecture used as a bastion host for servers in another VPC. It allows you to take advantage of the pay-as-you-go model, where you only pay for what you use. You will also potentially reduce your costs because AppStream 2.0 has built-in auto-scaling to increase and decrease capacity based on user demand.
As soon as the user closes their session and the Disconnect Timeout period is reached, AppStream 2.0 terminates the instance and, with it, you’ve reduced your risks of compromised instances. Because AppStream 2.0 freshly builds instances each time a user requests access, a compromised instance will only last for the duration of a user session.
#AWS BASTION HOST VS NAT INSTANCE FULL#
You can use AppStream 2.0 as a bastion solution to enable your system administrators to manage their environment without giving them a full bastion host. This ensures the same consistent experience during each logon. When a user requests access to an application, AppStream 2.0 uses a base image to deploy a streaming instance and destroys the instance after the user closes their session.
#AWS BASTION HOST VS NAT INSTANCE WINDOWS#
A Linux or Windows instance for which AppStream 2.0 will be acting as a bastion host.Īmazon AppStream 2.0 is a fully managed application streaming service that provides users instant access to their desktop applications from anywhere by using an HTML5-compatible desktop browser.Active Directory Federation Services (ADFS).This may be on premises, on AWS EC2 for Windows, or AWS Directory Service for Microsoft Active Directory used as a user directory. An existing Active Directory (AD) domain.A Virtual Private Cloud (VPC) with a dedicated subnet for AppStream 2.0.
In this post, I demonstrate the use of Amazon AppStream 2.0 as a hardened and auto-scaled bastion host solution by providing only the necessary tools to system administrators that need access to a protected network. And most enterprises require that the access trail to the bastion host be auditable. The host is typically placed in a segregated network (or “DMZ”), and is often protected with multi-factor authentication (MFA) and monitored with auditing tools. All other unnecessary services are removed. Update: To help protect their assets, many security-conscious enterprises require their system administrators to go through a “bastion” (or “jump”) host to gain administrative access to backend systems in protected or sensitive network segments.Ī bastion host is a special-purpose instance that hosts a minimal number of administrative applications, such as RDP for Windows or Putty for Linux-based distributions. July 16, 2020: This post was originally published May 2, 2018, and has been updated to clarify some AppStream 2.0 details.
0 kommentar(er)
