Implementation of Client VPN

In an increasingly digital and rapidly changing world security and time-to-market are business-critical to commercial success. The company Ruter AS is responsible for public transport in Norway’s capital Oslo and parts of Viken. Ruter had various methods for developers to get access to applications. As such, security, development speed and costs were not optimized. In this case, a Client VPN solution enhanced this and enables Ruter to leverage the AWS platform in a more efficient way.

About the Customer

Ruter AS is a company for public transport in Norway’s capital Oslo and parts of Viken (formerly Akershus county) and with approximately 400 million public transport journeys each year Ruter operates more than half of Norway’s public transport.

The company currently has over 150 developers and a team dedicated to providing AWS services and solutions internally withing Ruter, to support various internal and public facing applications hosted on AWS EKS.

The Case Challenge: Ruter was previously using various custom methods for giving developers access to their applications inside of AWS and VPC’s. A more standard method was needed to gain back control, and make sure all teams could have a reliable and secure solution, common to all teams.

Partner Solution

Orange business suggested AWS Client VPN as a solution, and after an initial proof of concept this was accepted, and a production solution was designed and implemented by using Terraform.

The solution consisted of a central Client VPN endpoint (multi-AZ) in a locked down “networking” account, in combination with AWS SSO for user authorization. The benefit of this architecture, is that only one endpoint needs to be managed.

SSO allows new employees to automatically gain access to applications as soon as they are onboarded.

The VPC containing the VPN endpoint was given routing access to other AWS accounts and workload VPC’s via Transit Gateway. Each workload allows traffic from the VPN endpoint VPC, and each user is granted access to specific workloads via VPN authorizations and SSO groups.

The VPN solution is managed by Orange Business, however authorized people from Ruter can submit changes to authorizations via an ITIL process.

Results and Benefits

After implementation, Ruter has been able to standardize access to AWS for all teams. Being able to access and work on applications directly from local machines, has been a time saver for developers and allowed Ruter to remove custom (3^rd party) methods from the environments. This has increased the development speed as well as decreased the running costs.

The solution has shown to be reliable and performant, and consequently, enhanced the security level.

Moreover, Orange Business has made Ruter’s DevOps practices more effective, where developers can focus on core competencies, drive innovation, and deliver value to their customers.

Ruter’s AWS environment is protected by a baseline security solution, i.e. Orange Business Landing Zone, included in the Cloud Foundation service. The Landing Zone is built on best practice and it enables the customer to scale without risk to lose the control over the security requirements.

Orange Business Managed Services enables DevOps and Security teams to easily access a broad set of AWS knowledges in one place. As part of the Managed Services agreement, a Customer team is appointed to serve Ruter to ensure consultants with domain specific skills are available for projects, requests and troubleshooting. Thanks to the collaboration with Orange Business, Ruter can continue to leverage new AWS capabilities. The AWS usage grew from an already high level with approximately 23% between July 2022 and July 2023.