This document provides information how to deploy PrivX to Amazon Web Services infrastructure.

Reference architecture components

  1. PrivX instance is the host the PrivX service will be running on. A suitable starting point is an AWS T2 Medium instance (2 VCPUs, 4GB RAM) running RHEL. A minimum of 2 PrivX instances are required for high availability, scalability achieved through deploying additional PrivX instances.
  2. PrivX VPC will contain the running PrivX instances.
  3. AWS Elastic Load Balancer distributes traffic for the PrivX instances for HTTP & HTTPS traffic. Sticky sessions must be enabled.
  4. AWS RDS is used for persistence. A suitable starting point is a production PostgreSQL t2.medium database server with a 100 GB storage.
  5. AWS ElastiCache is used for triggering internal content updates - timestamps stored, a cache.t2.micro with 2 replicas
  6. AWS EFS is used for audit trail storage - standard performance with zone redundancy recommended, size depends on usage
  7. AWS API - if configured to do so, PrivX will index all computing resources from AWS and present them as connectable targets
  8. PrivX Extender is deployed to a VPC and it establishes a secure websocket control connection back to PrivX. It routes traffic from PrivX to target hosts within the VPC.
  9. Target VPC is a network containing target hosts which have no publicly accessible addresses
  10. Publicly accessible target hosts can be accessed directly from the PrivX via SSH/RDP in case they have an address the PrivX instance can connect to.

Connections

A. Administrators, end users and API clients will always access PrivX via HTTPS:443. HTTP:80 is required for Windows CRL checks and redirects to HTTPS
B. All PrivX internal communication, including connections from the Application Gateway to application nodes is over HTTPS:443
C. The PrivX Extenders establish secure websocket connections back to PrivX instances - subsequent connections from the Extender to target hosts are done using SSH/RDP
D. PrivX can access target hosts directly via SSH/RDP

Disclaimers

This document includes instructions regarding third-party products by Amazon. This blueprint is provided for general guidance only.

The architecture in this blueprint was verified against the Amazon Web Services products current in April 2019. These instructions will need to be adapted when using other versions of Amazon Web Services products.

SSH Communications Security Corporation does not make any warranties as to the accuracy, reliability, or usefulness of these instructions, or guarantee that the content related to third-party products is up to date.

SSH Communications Security Corporation does not provide any warranties regarding third-party products, such as Amazon Web Services, nor provide any support or other services for third- party products.

For instructions about setting up and operating Amazon Web Services products, we always recommend that you consult the official Amazon Web Services documentation intended for the specific version(s) of Amazon Web Services products in your use, and/or directly contact Amazon Web Services representatives or support.