I'm looking for a solid method to secure my frontend URL and backend APIs, ensuring that only users connected through our VPN can access them. Currently, I'm using AWS, and I would appreciate detailed advice on how to implement this securely. Can anyone guide me on the best practices?
5 Answers
If your VPN relies on private IPs in your AWS account, consider creating an internal-facing Application Load Balancer (ALB). If you're using Kubernetes, you can apply AWS-specific annotations to achieve this setup.
To effectively secure your application, consider implementing a two-tier system. Use OAuth2 for authentication on both the API and frontend. Additionally, restrict access to your API and frontend by limiting it to IP addresses associated with your VPN connections. It's crucial to have a solid understanding of your networking setup and how your components interact with the VPN clients to ensure everything remains secure, even if the VPN is compromised.
Make sure your VPC is private and utilize Private Route 53. This will allow you to configure the client to leverage a private DNS server. Some VPN clients can support this configuration, but you might need to adjust the network settings on client machines, which requires higher privileges.
You could just design your setup so that the frontend is only accessible via routes from your VPN server. Avoid assigning public IPs, and you'll significantly bolster your security—this alone can cover about 85% of your needs.
One of the simplest approaches is to block all ports except 80/443 and a few others necessary for public services. Allow access to other ports only through the VPN interface—you can use WireGuard for this. Change your SSH port to something unique to enhance security, and adjust your WireGuard VPN port as well. Essentially, you want everything to be communicated through the VPN to minimize exposure. For authentication, you could set up a login form that's only reachable via the VPN, possibly using Keycloak for user management integrated with an Active Directory.

Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically