AWS: Reference Network Architecture
Amazon Web Services (AWS) provides great flexibility in configuring infrastructure. We provide a basic reference architecture to assist administrators deploy a secure network within a VPC that follows our best practices.
The objective is to minimize any attack surface and to bring a layered approach to security that delivers a high level of isolation.
At a high level, this consists of:
One Public subnet hosting a NAT Gateway with an Elastic IP and an Internet Gateway allowing for egress to the public Internet
One Private subnet hosting a Twingate Connector with egress to the NAT gateway. This subnet hosts internal resources that you can define access control policies for through the Twingate Admin Console.
- Routing and security groups should prevent any inbound connections into the VPC.
- The NAT Gateway is the only resource with a public IP address. We recommend that it is in a subnet that contains no private resources in order to reduce any attack surface.
- The Twingate Connector will access the Twingate Relay infrastructure using an outbound connection through the NAT Gateway. No inbound connections are required.
- The Twingate Connector can reach private resources within the private subnet (TCP, UDP, ICMP) and access can be further tuned by network administrators.
- Minimal configuration is required for this architecture so AWS resource costs should be minimal while bringing a high degree of protection.
Deployment through Terraform
We provide a Terraform configuration for this architecture documented at our Terraform AWS Deployment Guide.
Please note we always recommend deploying a minimum of 2 Twingate Connectors for a production environment to provide for redundancy. Additional Connectors may be deployed to provide increased capacity for users accessing resources via the Twingate network.
Last updated 3 minutes ago