The GeoSpock database in VPCs without internet

The GeoSpock database can be installed on an AWS VPC that does not contain an internet gateway.

This enables you to meet security compliance rules that require isolation from the general internet. However, there are several restrictions that need to be met in order to use the private VPC setup.

Private VPC

The VPC supplied to the deploy machine when deloying GeoSpock Database in a setup without internet access must fulfill the following conditions:

The VPC must not have:

  • an internet gateway
  • subnets with NAT gateways.

The VPC must have:

  • a ssm VPC endpoint interface attached with a security group that allows HTTPS 443 ingress traffic to all CIDR blocks of the VPC.
  • an ec2 VPC endpoint interface attached to all subnets.
  • an ec2messages VPC endpoint interface attached to all subnets.
  • a logs VPC endpoint interface attached to all subnets.
  • a sns VPC endpoint interface attached to all subnets.
  • a monitoring VPC endpoint interface attached to all subnets.
  • a sqs VPC endpoint interface attached to all subnets.
  • an elasticbeanstalk VPC endpoint interface attached to all subnets.
  • an elasticbeanstalk-health VPC endpoint interface attached to all subnets.
  • a cloudformation VPC endpoint interface attached to all subnets.
  • an rds VPC endpoint interface attached to all subnets.
  • a states VPC endpoint interface attached to all subnets.
  • an elasticmapreduce VPC endpoint interface attached to all subnets.
  • a s3 VPC endoint gateway with an entry in the route table of your subnets.
  • a dynamodb VPC endoint with an entry in the route table of your subnets.

User authentication and authorization in private VPC

In private VPC the only allowed Identity Provider is a LDAPS server. (see User authentication and authorization in the GeoSpock database for more information).

Accessing GeoSpock Database in a private VPC

To access GeoSpock Database in a private VPC setup you are required to have access to the private VPC. One common way to achieve such connectivity is to use a VPN connection, for example, AWS Client VPN.

Source Data

In a private VPC setup only S3 files from buckets of the same region can be used. AWS S3 VPC endpoint does not allow cross region interactions, for more information please refer to the AWS S3 VPC endpoint documentation