Modern AWS architectures avoid exposing networks and instead focus on intent-based access:
- Application access
- Administrative access
- Controlled network access
This reference architecture demonstrates three secure access patterns from on-prem to AWS using:
- AWS Client VPN
- EC2 Instance Connect Endpoint
- AWS Verified Access
Each pattern serves a distinct purpose and should be used together—not interchangeably.
Architecture Context
The VPC contains:
- Private EC2 instances
- Private RDS databases
- Internal Application Load Balancer
- No public subnets for compute
- No inbound SSH or database ports
Remote users enter AWS only through explicit access services.
Flow 1: Application Access via AWS Verified Access
Use Case
Secure access to private web applications without VPN or public exposure.
Flow
Key Characteristics
- Identity-based access
- No network-level trust
- No VPC-wide visibility
- No public ALB required
Flow 2: Administrative EC2 Access via EC2 Instance Connect Endpoint
Use Case
Secure SSH access to private EC2 instances without bastion hosts or public IPs.
Flow
Key Characteristics
- IAM-based authentication
- Short-lived access
- No inbound SSH rules
- Fully auditable
Flow 3: Network-Level Access via AWS Client VPN
Use Case
Broad access to private AWS resources such as databases, internal APIs, or legacy tools.
Flow
Key Characteristics
- Encrypted tunnel
- Route-based access
- Subnet-level reachability
- Works well for legacy workflows
VPN vs Verified Access (When to Use What)
This is a common design decision, and the wrong choice often leads to overexposure.
Comparison Table
| Aspect | AWS Client VPN | AWS Verified Access |
|---|---|---|
| Access Model | Network-level | Application-level |
| Trust Boundary | VPC/Subnet | Identity & policy |
| User Sees Network | Yes | No |
| VPN Client Required | Yes | No |
| Best For | DBs, legacy apps, tools | Web apps, dashboards |
| Lateral Movement Risk | Higher | Very low |
| Zero Trust Alignment | Partial | Strong |
Simple Rule of Thumb
If users need a network → VPN
If users need an app → Verified Access
Why These Services Work Best Together
| Requirement | Service |
|---|---|
| Internal web applications | AWS Verified Access |
| EC2 administration | EC2 Instance Connect Endpoint |
| Database / legacy access | AWS Client VPN |
This layered approach ensures:
- No over-privileged access
- Clear separation of concerns
- Reduced blast radius
- Easier audits and compliance
Security Best Practices Highlighted
- No public EC2 or RDS
- No inbound SSH from on-prem
- IAM-driven access
- Explicit access entry points
- Multi-AZ design
Final Thoughts
Secure remote access to AWS is not about choosing one tool.
It’s about:
- Matching access method to intent
- Avoiding unnecessary network exposure
- Enforcing identity at the entry point
By combining:
- AWS Verified Access
- EC2 Instance Connect Endpoint
- AWS Client VPN
you get a secure, scalable, and least-privilege remote access model from on-prem to AWS.
Top comments (0)