The purpose of using IAP is to keep VBG connected to private networks only and control which users can actually connect by using permissions and IAM users. From IAP to VBG, the traffic will be sent without the additional layer of encryption. Adding IAP TCP forwarding, the initial HTTPS traffic will be encrypted in another HTTPS connection. In our case we normally connect to VBG console using HTTPS (web browser). In this situation we can use Cloud Identity and Access Management (IAP) and Cloud Identity-Aware Proxy (IAP).Ĭloud IAP implements TCP forwarding which encrypts any type of TCP traffic between the client initiating the session and IAP using HTTPS. You would want to have a secure and simple way of controlling that access and being able to easily revoke it. Think of use cases where your user has lost his rights to manage backups, however still has access to the backup infrastructure. We want to make sure that whoever tries to enter credentials in VBG console is identified and has the permissions to do that action. How can we make sure that whoever or whatever trying to connect to VBG is actually allowed to do it? Please mind that we are talking about the connection to VBG console before any authentication and authorization into VBG is applied. Anyone connecting from that specific source IP address is automatically trusted. There is no user identification and authorization in place before allowing the user to open a session to VBG console. We don't know who is hiding behind that allowed source IP address. Having a firewall rule that limits source IP addresses allowed to connect to the external IP address of VBG increases the security trust, but it does not apply zero trust principles. First, VBG is directly accessed from Internet. Another scenario using bastion servers and private connectivity is not treated now, however principals and mechanisms learned here can still apply.Īs you can easily see there are some disadvantages in the having VBG directly accessed from Internet. This is the use case that we are treating in our article. If you are connecting to VBG over Internet, you would need to expose VBG using a public IP address and restrict access to that IP address from your source IP. This connectivity can be done over Internet or in some more complex scenarios over VPN or interconnect links. In a standard deployment you would have your VBG appliance installed in a VPC, apply firewall rules to restrict access to VBG and then using an SSL encrypted web browser connect to the console. The focus of this post is securing this access. The challenge rises from the need to access VBG console for configuration and operation activities. However, VBG is also residing in the same cloud and one of the first things is to make sure it is deployed and accessed in a secure manner. Veeam Backup for Google Cloud (VBG) is one of the technologies that enables data security and resiliency by backing up and protecting your data running in the cloud. It is how any one should actually start their work in any kind of project in public, private or hybrid cloud. Having security embedded by design into your architecture is more than just a best practice.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |