awslabs / scale-out-computing-on-aws

Scale-Out Computing on AWS is a solution that helps customers deploy and operate a multiuser environment for computationally intensive workflows.
https://awslabs.github.io/scale-out-computing-on-aws-documentation/
Apache License 2.0
124 stars 59 forks source link

Making SOCA application accessible only within VPC/via VPN #100

Closed mission-coliveros closed 6 months ago

mission-coliveros commented 1 year ago

Is your feature request related to a problem? Please describe. We've deployed this solution for a customer who is worried about making the application accessible to the general internet. We're trying to understand if there is a recommended approach on how to completely disable public access to the application, and replace the internet-facing ALB with a public one.

Describe the feature you'd like

Additional context In the meantime, we have a lot of urgency to get the system up and running, without exposing the app to dozens of /32 CIDRs in our SG rules. I was hoping we could limit access to our VPN security groups, as well as our VPN endpoint/VPC CIDRs, but this doesn't enable access to the cluster.

ahmedelz commented 1 year ago

I assume you meant "replace the internet-facing ALB with a private one".

SOCA already supports deploying the ALB and the scheduler instance in a private subnet.

This requires use of an existing VPC and existing private subnets that have an outbound path to public internet. The outbound path to public internet can be via NAT Gateway in public subnets of the VPC or via an on-prem proxy where the default route of the VPC goes to the VGW. This outbound path is required because the scheduler needs to download packages (operating system updates, OpenPBS, OpenMPI, etc..) from public internet. Also, there is an assumption that the VPC would be connected to the on-prem network via a VPN tunnel, transit gateway, or a direct connect. Otherwise the ALB wouldn't be reachable from the on-prem network.

If the above conditions are satisfied, all you need to do is change the value of entry_points_subnets to Private in https://github.com/awslabs/scale-out-computing-on-aws/blob/main/installer/default_config.yml#L4

mcrozes commented 7 months ago

Hey @mission-coliveros -

Can you please review @ahmedelz 's answer and let me know if anything else is needed?