Securing application access without a VPN, using a CloudFront distribution with Lambda@Edge functions forcing OAuth authentication with Azure or Github
2. Allan Denot
➔ 5 years working as DevOps and AWS
➔ Senior DevOps Engineer at amaysim
➔ Master in IT from University of Sydney
➔ Former Ansible “expert”
➔ Currently doing Docker, ECS, CI/CD and Serverless
@denot allandenot.com
11. Protected API Endpoints
Internal VPC
QA
CloudFront
with Lambda
API call
302 Redirect to OAuth
Automate
d test
client
Automate
d test
client
12. Protected API Endpoints
Requirements
➔ Protected from public
➔ Can’t use API Tokens or header authentication
- keep consistency with production
➔ Known sources should have direct access
13. Solution #2
Protected API Endpoints
Internal VPC
QA
CloudFront
with Lambda
API call
200 OK
Automate
d test
client
Dynamo
DB
Automate
d test
client
15. 302 Redirect to OAuth Endpoint
Request CALLBACK_URL with client code
200 Allow and set cookie
Stores IP
302 Redirect to CALLBACK_URL with client code
Request Webpage
Flow
Client
CloudFront
Labda@Edge
OAuth Provider
Client Authenticates with OAuth Provider
Can include
multiple
interactions
Checks code is valid
Dynamo
DB
Dynamo
DBIP Exists?