In this short discussion, I would like to highlight a common requirement for enterprises that need to connect their users to public cloud infrastructure and on-rem data centers both. This has to be done efficiently and securely. Some of the common requirements heard are
I should be able to use combination of any Identity Provider of my choice using SAML or Active Directory and have capabilities such as:
Okta
Duo
AD
Google Identity Platform (IdP)
Microsoft OneLogin
Multi-factor authentication (MFA)
GeoLocation awareness so the user should be able to connect to the network from closest entry point. So if a user is in Germany, maybe use London to connect to VPN but if the user is in Tennessee, use New York to login etc.
Every user is not the same, you have Employees, Contractors, Partners. Each profile has different needs. Some need access to only Azure Vnet, some need access to multiple VPCs and Vnets, where as most employees should be able to access everything and be able to use the Direct Connect or ExpressRoute to connect to on-prem resources as well.
Integrate a NextGen Firewall such as PaloAlto Networks VM-Series, or Fortinet Fortigate, or Checkpoint to inspect the user traffic before it reaches any application.
Operational visibility to be able to troubleshoot, look at logs, take packet captures and so on.
These requirements are common across several customers I have talked to. The following design using Aviatrix Controller and UserVPN (based on OpenVPN) is what helps them achieve the goals set out above.
