Hey everyone! I'm on a mission to create a secure and cloud-agnostic access solution for my development team and could really use your input. Here's what I'm aiming for: I want my developers to access specific cloud resources, like VMs and internal services, **without the need for creating cloud user accounts**, such as IAM or Active Directory accounts.
Ideally, they would connect with a client, something like a VPN, allowing them seamless and controlled access to the resources assigned to them. I'm looking for solutions that support **identity-based access control** and allow for centralized management of access policies, while also being **cloud-agnostic**, so we aren't locked into one vendor. This should be applicable for SSH access to VMs and accessing internal web services.
So far, I've been trying out **OpenZiti** to set up secure overlays, like mapping `vm.ziti` to a VM's public IP, but I've hit a few bumps along the way. Specifically, I'm having trouble overlaying SSH connections to the public IPs and am not sure if my setup is off or if OpenZiti is the right fit for this use case.
I'm looking for alternative solutions that are easier to set up than OpenZiti but still offer **zero-trust, identity-based access control**. Also, solutions that allow developers to connect via a VPN-like client with access based on policies and **no user account management in the cloud** would be ideal. Any thoughts or experiences with **OpenZiti**, especially concerning SSH access to public IPs, would be greatly appreciated! Thanks for your help!
4 Answers
Consider using Okta SSO for user provisioning with your cloud vendor, then tools like Twingate or Tailscale to create a tunnel to protected resources. AWS SSM or similar services can facilitate instance access. Just be cautious—using too many different tools can create a tangled mess once you scale up.
This is an intriguing discussion! We faced a similar issue where we wanted **identity-based access** without needing full cloud accounts for every dev. OpenZiti is powerful but can get a bit complicated. I’d suggest looking into Tailscale or Teleport; both offer policy-based access without relying on traditional IAM systems. We tackled this by abstracting access completely, making it easier to manage from our side.
I’d love to hear more about that approach you took! I think Ziti being open-source is useful, but comparing it with Tailscale might be more appropriate with NetFoundry, which has a different angle.
I recommend trying out Tailscale for secure access. It's user-friendly and focuses on making remote access straightforward without the complexities that come with other solutions.
I've had great experiences using Teleport in several organizations, and it's worked wonders for me. Tailscale is also an excellent option if you want something lighter on the setup. Hashicorp Boundary is another alternative if you want non-VPN solutions.
That’s a smart setup! Just remember that while it works initially, it can lead to a chaotic system as you grow, with each tool having its lifecycle and policy. We've been looking into a more integrated approach where provisioning and access control are part of a declarative system, which seems more manageable long-term.