0

We are running a virtual private cloud, in other words a vendor-hosted intranet. (In this case the vendor is AWS, but it could be Azure, Digital Ocean...) The intranet does not have public-facing access. We connect from local machines on home networks via Wireguard + SSH.

If this were a physical office network, I would expect all connections to be encrypted. But is there any benefit to encrypting communication between machines on a VPC? (Whether it's SSH, Wireguard, application layer encryption...) It certainly wouldn't stop a motivated, hostile vendor, since they have complete access at the hardware level anyway. But are there any other threats that aren't already mitigated by the vendor's intranet security?

For example, if 10.0.0.1 connects to 10.0.0.2 over unencrypted HTTP, who could intercept or modify or spoof the communication?

lofidevops
  • 3,550
  • 6
  • 23
  • 32

1 Answers1

1

With virtual private cloud, you know next to nothing about the infrastructure between the servers. You can only assume the service provider has protected it properly. Servers on the same virtual subnet could even be on different data centres altogether, and you know nothing about the routing of the underlay network. E.g., there could be some unencrypted MPLS network carrying the packets.

Using an upper layer encryption, such as TLS, protects from the deficiencies in the protection of the lower layers.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55