Secure Remote Access to AWS Resources from On-Premises
Source: Dev.to
Modern AWS architectures avoid exposing networks and instead focus on intent‑based access:
- Application access
- Administrative access
- Controlled network access
This reference architecture demonstrates three secure access patterns from on‑premises to AWS using:
- AWS Client VPN
- EC2 Instance Connect Endpoint
- AWS Verified Access
Each pattern serves a distinct purpose and should be used together—not interchangeably.
Architecture Context
The VPC contains:
- Private EC2 instances
- Private RDS databases
- Internal Application Load Balancer
- No public subnets for compute
- No inbound SSH or database ports
Remote users enter AWS only through explicit access services.
Flow 1: Application Access via AWS Verified Access
Use Case
Secure access to private web applications without VPN or public exposure.
Flow
Key Characteristics
- Identity‑based access
- No network‑level trust
- No VPC‑wide visibility
- No public ALB required
Flow 2: Administrative EC2 Access via EC2 Instance Connect Endpoint
Use Case
Secure SSH access to private EC2 instances without bastion hosts or public IPs.
Flow
Key Characteristics
- IAM‑based authentication
- Short‑lived access
- No inbound SSH rules
- Fully auditable
Flow 3: Network‑Level Access via AWS Client VPN
Use Case
Broad access to private AWS resources such as databases, internal APIs, or legacy tools.
Flow
Key Characteristics
- Encrypted tunnel
- Route‑based access
- Subnet‑level reachability
- Works well for legacy workflows
VPN vs Verified Access (When to Use What)
Comparison Table
| Aspect | AWS Client VPN | AWS Verified Access |
|---|---|---|
| Access Model | Network‑level | Application‑level |
| Trust Boundary | VPC/Subnet | Identity & policy |
| User Sees Network | Yes | No |
| VPN Client Required | Yes | No |
| Best For | DBs, legacy apps, tools | Web apps, dashboards |
| Lateral Movement Risk | Higher | Very low |
| Zero Trust Alignment | Partial | Strong |
Simple Rule of Thumb
- If users need a network → VPN
- If users need an app → Verified Access
Why These Services Work Best Together
| Requirement | Service |
|---|---|
| Internal web applications | AWS Verified Access |
| EC2 administration | EC2 Instance Connect Endpoint |
| Database / legacy access | AWS Client VPN |
This layered approach ensures:
- No over‑privileged access
- Clear separation of concerns
- Reduced blast radius
- Easier audits and compliance
Security Best Practices Highlighted
- No public EC2 or RDS instances
- No inbound SSH from on‑premises
- IAM‑driven access
- Explicit access entry points
- Multi‑AZ design
Final Thoughts
Secure remote access to AWS is not about choosing one tool. It’s about:
- Matching the access method to intent
- Avoiding unnecessary network exposure
- Enforcing identity at the entry point
By combining:
- AWS Verified Access
- EC2 Instance Connect Endpoint
- AWS Client VPN
you get a secure, scalable, and least‑privilege remote access model from on‑premises to AWS.