Recently I posted a question in SO, but so far I got no answers. I wonder if I'm asking the wrong question.
This is the problem:
We need to design an application which
offers a public http web service, but
at the same time it must consume some
services through a VPN connection from
other existing company. There is no
other alternative but to use a VPN
connection to access those services.
We want to host our application in
some cloud infrastructure like Heroku
or Amazon EC2. But there is no direct
way to access the VPN services of the
other company from there.
The solution I'm thinking, but I don't like is to have a different server to expose the services from that VPN. But this will require the setup of another server which I prefer to avoid. In the case this is the solution, can I use an Amazon EC2 instance to connect to a VPN?
This is what I was thinking, is it correct?
I don't have experience using VPNs, tunnels or those kind of networking stuff. I will really appreciate if you can propose me an alternative solution, or just give me a comment.
Best Answer
Are the services you're accessing Web Services, or something else?
If they are web services, then what you've described in your non-ideal setup would work quite well. You would set up a 3rd server that would act as a proxy for your web services, accepting requests from your "cloud" server, and tunneling them over the VPN to the corporate network (This is called a "reverse proxy").
Slapping on SSL (even self-signed would do as you only have to trust yourself) and only permitting the IP address of your "cloud" server through the firewall would even keep it pretty secure, but you're right in that its a lot of additional management overhead (although I've done similar things myself in the past, and once they're running you can usually just leave them alone for years at a time).
What I would suggest is finding a "cloud" provider (I use the term loosly, as a "cloud" server is really just a VPS bundled with a few other external technologies) where you have full administrator/root access to the machine and then create a VPN the way you would normally.
This will probably cost a small amount than other options, but is probably worth it in the long run.