How to Secure Access to Confluence on AWS (~10 mintutes)
Many organizations use Confluence to create, share, and collaborate on projects and consider it to be a security-sensitive application which should not be exposed to the public Internet.
This post will guide you through configuring New Edge to provide secure access to a private, self-hosted instance of Confluence deployed on AWS and then locking-down AWS to prevent direct, unauthorized access over the Internet. We assume your users should be able to access Confluence securely at a URL provided by your company, e.g. http://confluence.example.com:8090
A self-hosted instance of Confluence installed in your AWS environment (Learn how to install Confluence on Linux). For the purposes of this post we assume Confluence is installed on a single EC2 instance and not a high availability deployment.
Create a service under New Edge
Sign in to your New Edge Admin console
Click Services in the left sidebar menu
Click New Service
Enter a name, e.g. “Confluence”
Enter a hostname, e.g. “confluence.example.com”
Select TCP from Protocols
Enter the port number you set when you configured Confluence, e.g. “8090”
Select the Publisher which you deployed alongside Confluence in your VPC
Register the app using your end user email address
Connect the New Edge app
Open your browser and navigate to http://confluence.example.com:8090 to confirm that you can access Confluence throuh the New Edge Service
Configure AWS security groups
Choose security groups for the EC2 instance which hosts Confluence and change security groups to accept only inbound connections on port 8090 from the New Edge Publisher IP (This will ensure that this EC2 instance is not accessible from the Internet). Learn about AWS Security groups.
Optionally, you can deploy Confluence on an EC2 instance which does not have a public IP address. This will create an additional layer of protection ensuring that even security group misconfiguration won’t expose Confluence to the Internet
Configure DNS records for Confluence
Domain names for private applications should be resolvable only within your AWS VPC to prevent unauthorized users from discovering them. To accomplish this, we recommend creating a private DNS record in Amazon Route 53 and removing any public DNS records.
Open your AWS console
Open Route 53 (Amazon’s DNS service)
Click “Create Hosted Zone”
Enter “example.com” (where example.com is your company’s domain) in Domain name
Choose Type: “Private Hosted Zone for Amazon VPC”
Choose the VPC where both Confluence and your New Edge Publisher are deployed
Click “Create Record Set”
Type “confluence” in Name field
Choose “A – IPV4 address” and type Confluence private IP address in Value field
(Optional) If you have a public DNS record for Confluence, delete the record from your public DNS provider
If you’re planning to secure Confluence running in your AWS environment, New Edge is the best way to provide secure access to cloud services. Contact us, and we’d be happy to talk you through this process step by step.