Yesterday AWS announced AWS Verified Access for non-HTTPs connections.

This is huge news as it opens up the possibility of getting direct access to private services without needing a VPN. This would allow for the first time, 'direct' access to internal RDS databases without needing a jump box or a proxy. Or at least that's the claim. So I was eager to give it a try. Unfortunately, I didn't get very far.

The first stumbling block is discovering that a client is required, and clients are only available for Windows and Mac, nothing for Linux. Although the contents of the installation package suggest Linux support might be coming in the future.

Still wanting to give it a try, I deployed a plain Windows 11 VM for testing. The Windows installer worked fine, but strangely, doesn't add any icons to launch the app, so I had to browse through the filesystem to launch the client. There's also no configuration options whatsoever in the app itself, instead it's configured by manually deploying a JSON file onto the filesystem, which looks something like this:

{
    "Version": "1.0",
    "VerifiedAccessInstanceId": "vai-2a7bd80dcdc3175c3",
    "Region": "eu-west-1",
    "DeviceTrustProviders": [],
    "UserTrustProvider": {
        "Type": "iam-identity-center",
        "Scopes": "verified_access:application:connect",
        "Issuer": "https://identitycenter.amazonaws.com/ssoins-6834324c3a3214a1",
        "PkceEnabled": true
    },
    "OpenVpnConfigurations": [
        {
            "Config": "Y2xpZW5***REDACTED***hbWU=",
            "Routes": [
                {
                    "Cidr": "2a07:d018:118c:3b00::/57"
                }
            ]
        }
    ]
}

Cue the soul crushing realisation that the service is just a wrapper around OpenVPN. The clue is in the OpenVpnConfigurations block which is just a base64 encoded OpenVPN configuration. 😭 WireGuard is a much better VPN technology in every way, and it could have been used here. It's faster, lighter, secure by default and much simpler to implement. A blog I wrote a while back still stands true today.

But let's carry on, because this could still be a really neat way of getting access to private databases without the overheads of running something like Client VPN.

So I copied over the configuration to the location specified on Windows, C:\ProgramData\Connectivity Client\ClientConfig1.json, and started the client. And got this..

..followed by this about a minute later..

..and that's as far as I've managed to get after following the launch blog instructions.

Given this experience, it doesn't feel like the service even warrants the 'preview' label, it's a long way from a state I would consider deploying, even for testing. Given the timing, on the first day of reInvent, I suspect commercial pressures were at play here. It's a shame, as direct access to private resources without the overhead of managing a VPN would be incredibly useful. I'll be keeping my eyes open on how it progresses and hopefully in the mid-term it will become a viable option.