Securely Connecting Tenants, Customer and Partners to VM/EC2
There are different ways for customers/tenants/partners to get access into their assigned spoke VMs or Spoke VPC. You can think of it as your customers accessing a SaaS in their respective VPC/VNETs
I am mentioning few design choices here but there are more to that. If it does not fit the bill, contact us or comment at the end about your specific need
Policy-based and Zero trust SASE
This should not require IGW (Native Cloud Internet GW) into the Spoke VPC itself. Basically, customers will land into a SASE VPC (Policy Based, Zero Trust, SAML based, MFA OpenVPN client) first and from there they will be routed to their respective VPC/VNET
Think of it as a proxy in the middle as you have in the SASE model
Private Circuit from On-Premise to Transit VPC
Another option is to use direct and private tunnels from on-prem with proper segmentation so the customer has ZTNA access only to their respective VPC/VNET
The details are here in Deepesh’s blog https://community.aviatrix.com/t/35hz0vl/extending-segmentation-from-on-premise-to-gcp-over-cloud-interconnect-using-aviatrixsolution
Direct Connectivity to Spoke VPC
Another option is to directly land the customer into the Spoke GW. Spoke GW would then NAT the traffic. Spoke GW would be deployed in the public subnet with IGW in there, but VMs will be in the private subnet. We can lock the access even further by using SG/NSG etc.
Private Link to Spoke VPC
There is another option using Private Links, but those are uni-directional. So let’s say if traffic is always initiated by on-prem towards the VPC, that could work. Check out the example here
In the example, the Partner VPC could be your customer VPC. Also, the example talks about S3, but it could be any type of access because we can expose it via LB.