Secure network connectivity across distributed clouds for SMBs

Authored in partnership with Alex Feiszli from Netmaker.

Cloud Networking Challenges for SMBs

With remote work becoming more and more popular in recent years, many small- to medium-sized businesses (SMB) and startups have remote employees and cloud workloads across multiple regions. This can create complex networking challenges that many businesses struggle to solve. The following diagram illustrates complex network configurations as a result.

In these scenarios, there are two primary questions that businesses are asking themselves.

1. How do I enable secure access for all of my developers?

In the ideal world, businesses have dedicated teams and processes to control and monitor access across internal IT systems. Many enterprises spend millions of dollars to do just that.

For startups and SMBs, there is neither the time nor the budget. Consequently, access to cloud resources is often granted through basic SSH keys or by whitelisting a developer IP address.

This is not scalable as the business grows, and it is also problematic from a security standpoint. Virtual machines and cloud resources are often left open to the internet, with little protection in between.

Ideally, a business could control remote access and secure resources with minimal investment, but businesses are unsure about how to address these issues with optimal investment.

2. How do I connect my workloads securely?

It is easy to connect cloud resources within a region securely by using a private virtual private cloud (VPC) address, but what about between regions? Businesses can connect resources using their public IP addresses and firewall rules. However, this is difficult to scale, and has security implications because of the public internet.

Ideally, you could treat cross-cloud resources the same way as those within a VPC, as a single, secure subnet, without having to worry about setting up firewalls.

These challenges are important to solve, but the solution often comes with both cost and complexity.

The VPN (virtual private network) is a known solution that has solved the remote access question for decades. You can connect your users using a VPN gateway, and off they go.

Less common is using the VPN to connect workloads. However, “point-to-point” VPNs are increasing in popularity. Point-to-point VPNs allow you to connect any number of workloads using an overlay network. In the past, businesses avoided using VPNs for this because of their slow speed and complexity, but as you’ll see below, this is no longer such a concern.

WireGuard as a modern VPN solution

While there are many available VPNs, WireGuard is one option which has multiple benefits for startups and SMBs looking to securely connect to a network. Some of its benefits include:

• It is extremely fast, relative to older VPNs like OpenVPN. If configured correctly, WireGuard has a negligible impact on network performance, making it ideal to use with cloud infrastructure.

• It is very simple to configure, allowing users to create complex networks easily.

• It uses a new cryptographic handshake called the Noise Protocol, which is faster and more secure than the traditional SSL/TLS based handshakes.

• It uses more modern and security cryptography (ChaCha20-Poly1305 encryption algorithm).

• Because of its low overhead, WireGuard is deployed on a wide range of devices and platforms, including mobile and embedded systems. In fact, it’s now in the Linux kernel, so it will run on most servers and devices by default

Secure Connectivity Use Cases

By using a WireGuard VPN, businesses can deploy powerful, secure networks as shown in the diagram below.

Some advantages include:

• You can create as many virtual networks as needed (development, production, etc.)

• You can add any of your compute solutions (Droplets, virtual machines, Kubernetes) into a desired network.

• Your resources will continue to work as expected, for example:

• SSH to public IP will work, unless you configure otherwise.

• Internet connectivity from the VM will work fine.

• End user traffic (from the internet to a load balancer to a Droplet) will work fine.

• Connection to other resources (eg managed database) will work as is.

• The virtual network adds an additional private IP address to the resource that can be used for secure communications from anywhere.

• You will be able to securely connect from end clients (e.g. developer laptops) to your cloud resources.

• You will be able to securely connect cloud resources over the internet (e.g. servers, databases).

• You will be able to automate the rollout (e.g. via cloud-init) of new Droplets so they join the VPN network automatically.

• For Kubernetes, you can deploy a VPN gateway and provide access to the cluster’s pod and service networks.

• The system works even behind NAT (network address translation) gateways.

Netmaker for Distributed Cloud Networking

Netmaker is a network management tool built on top of WireGuard. It provides a simple and easy way to set up, configure, and manage WireGuard-based VPNs and overlay networks for SMB users. While managing a small network of devices with WireGuard is easy, it gets complicated at scale, and Netmaker takes away that complexity.

Netmaker is available on the DigitalOcean Marketplace as a 1-click application. It provides the following benefits.

• Automated WireGuard networks

• Secure remote access for employees.

• Secure connections between droplets and kubernetes across regions.

• Secure connections between inter-cloud workloads.

• Gateways to reach external networks.

Netmaker comes with both a community and licensed edition. It is fairly easy to get started with Netmaker. Here is an 8 min walkthrough video that will help you set up a secure virtual network using Netmaker. DigitalOcean customers can get a 50% discount for DigitalOcean customers with promo code DIGITALOCEAN2023 (valid through December 2023), so you can start using it today!