Enforce VPN access to restricted area of our SaaS

Will Taylor

6/13/23, 2:12 PM

Our Enterprise clients for our SaaS have sensitive data inside their account, and would like to make sure their team are only accessing their accounts on our platform via their existing VPN solutions.

How do we enforce this?

IP whitelisting
Allow them somehow to set up a VPC to avoid connections going onto the internet? Is this something like AWS PrivateLink?

This is where I quickly get out of my depth.

Ideally, I would be looking for a service where customers can set up the connection from their private network to their account on our SaaS without our intervention. Does such an option exist?

More detail on our setup

Our main SaaS app is a single instance of a Ruby on Rails app and Ruby on Rails API hosted on Heroku.

Users currently connect by logging into the website, where we authenticate via Auth0, which stores the user credentials in their session.

0 + 0

vpn

Appleoddity

6/13/23, 3:08 PM

There are many ways to accomplish this. But you haven’t provided enough information about your hosted app to even begin to offer options. Start by clarifying your post and providing enough information about how and where your app is hosted, how clients connect now, etc.

Will Taylor

6/13/23, 4:04 PM

Thanks, @Appleoddity - is this sufficient? Appreciate the help!

Score:1

Server

drookie

6/14/23, 7:55 AM

These SaaSes of yours don't really explain anything, it's like mentioning "I have a computer" all the time.

But judging from my experience, enforcing VPN access is mostly done by implementing IP filters or, if you use Web-applications, by implementing HTTP-based filters in the web servers, returing 403 status pages for clients that attempt to access the application from the outer world.

For nginx it would be something like that:

server {
    my protected.from.outer.world.site;
    listen 80;

    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    allow 172.16.0.0/12;
    deny all;

    location / {
        ...
    }
}

And IP filtering for non-HTTP-based applications and services.

0 + 0

Will Taylor

6/14/23, 12:40 PM

Thanks Drookie.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Enforce VPN access to restricted area of our SaaS

TH: บังคับใช้การเข้าถึง VPN ไปยังพื้นที่จำกัดของ SaaS ของเรา

RO: Implementați accesul VPN în zona restricționată a SaaS

RU: Обеспечьте доступ VPN к ограниченной области нашего SaaS

VI: Thực thi quyền truy cập VPN vào khu vực hạn chế của SaaS của chúng tôi

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.