Embodiments presented herein relate to cloud-based computing environments. More specifically, embodiments presented herein relate to providing secure access to applications executing on virtual machines accessed over public facing networks.
Infrastructure as a service (IaaS) or cloud computing generally refers to the provision of scalable computing resources as a service over a network. More formally, cloud computing may be defined as a computing capability that provides an abstraction between the computing resource and its underlying technical architecture (e.g., servers, storage, networks), enabling convenient, on-demand access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing may provide a user with a variety of virtual computing resources (e.g., computer, storage, and applications). Cloud providers may also allow clients to instantiate virtual machine instances, i.e., a virtualized computing server, within “the cloud,” without regard for the underlying physical systems (or locations of those systems) used to provide the virtualized computing server.
Given the ease with which virtual machine instances can be created and scaled, cloud computing provides an enterprise with easy access to large amounts of computing power without requiring the investment in large numbers of physical server systems. Further, even where smaller amounts of resources are needed, cloud computing provides an approach that does not require an enterprise to purchase, configure, and maintain a physical computing infrastructure. As a result many enterprises have moved (or are interested in moving) applications to cloud based hosting services.
Virtual machine instances running on a publicly available infrastructure as a service (IaaS) offering or on a cloud based deployment are typically provisioned with a single, publicly accessible network interface and IP address. That is, the network address of the virtual machine instance is typically accessible by the public at large. At the same time, enterprises may have a suite of intranet based applications that lack user authentication or secure communication mechanisms that they want to move to a cloud based deployment. However such applications may have been developed to run inside an enterprise intranet, and exposing such applications over a publically routable IP address results in unacceptable security risks.
While such applications might be modified to support username/password (or other) authentication mechanisms, doing so requires modifying an existing code base, which in the case of a commercial application may not even be possible, and even where possible is susceptible to weak passwords and other vulnerabilities. In addition, if the existing application doesn't support encrypted communications, this would need to be added as well.