When moving to the cloud, and in fast-paced DevOps environments, securely connecting to your private networks can be very challenging.
And if you and your team want to be able to do it from any device (PCs, phones, tablets, etc) in an easy way, while keep a Zero Trust approach, and without a very complex VPN solution.... Well, I’d normally say "good luck" 🤣
Today however I have for you a solution to that. A service which lets you create a secure network between your servers, computers, and cloud instances, even when separated by firewalls or subnets, and that just works. Oh, and you can start with it for free! Let’s talk about Twingate.
Try out Twingate today and start securely accessing your private resources: https://geni.us/twingate
Video
As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.
Link to the video: https://youtu.be/JsQ6xNSOVqk
If you rather prefer reading, well... let's just continue :)
Why Twingate And Not a VPN?
Let’s firstly see why we would want to use a Zero-Trust Networking solution like Twingate over a normal VPN. And for me, it is down to 4 main pillars:
- Security
- Performance
- Maintainability
- User Experience.
Security
Let’s start with Security. With normal VPNs, user access is usually granted to the entire network that the VPN secures, and access to specific applications need to be managed with complex routing changes or by the applications themselves.
Twingate, instead, allows you to control access granularly at the application level, not the network level. The access is granted on a per application basis.
Moreover, access to a specific resource can be based on a wide variety of factors, including an identity authenticated by a third party SSO or identity provider using MFA, the user’s physical location, time of day, device, and other contextual data.
Finally, Twingate provides comprehensive logging in a single centralized view, making monitoring way easier.
Performance
Let’s talk now about Performance. If you’ve ever used a VPN, you know that in most cases that comes with a degradation of performance. Not with Twingate, this service in fact uses something called "Smart Routing" that promises to have no impact on user performance or latency. And it works on 3 levels.
First one is Resource-level Split Tunneling. With a normal VPN solution, unless you have complex rules in place, all traffic is sent to the VPN gateway, and flows through it.
With Twingate instead, only the traffic that needs to go to the private endpoint is sent through the service, meaning that all your "non-private traffic" is not affected.
We then have the NAT Traversal. Traditional VPN clients are relatively limited. They relay information to a VPN server, and it is the job of that server and other network infrastructure to process authorization requests and manage traffic routing. This is known to cause increased latency.
Twingate pushes these processing activities to the network edge by making its clients intelligent, and creating peer-to-peer connections between clients and resources to minimize latency.
The final point about performance has to do with how the traffic is managed. Instead of using single-plexing, which basically queues the traffic in a single stream and therefore causes performance degradation, Twingate delivers concurrent data streams by multiplexing them over a single connection.
In general, Twingate is able to improve connectivity performances to private resources, and reduce corporate network congestion and bandwidth usage.
Deployment and Maintainability
I mentioned before that another point I consider an advantage of Twingate over traditional VPN solutions is about Deployment and Maintainability.
We will see in a moment how quick and easy it is to deploy Twingate (and this is something you don’t usually get with a traditional VPN), but it doesn’t stop there.
Twingate provides a centralized admin console which controls access to private resources throughout the organization, regardless of whether they are inside or outside the traditional network.
Additionally, not much maintenance is needed on the connectors you deploy, and the service uses an API-first approach so you can automate the configuration, make it part of your CI/CD and even use Terraform to manage them.
User Experience
I don’t think I need to add much else to what we have seen so far to see why the user experience for both admins and end users is better than a traditional VPN.
Twingate Architecture
Before we see this in action, I want to spend a moment talking about the overall service architecture and its components, so later it will be easier to understand the steps we are taking.
Twingate relies on four components:
- Controller
- Clients
- Connectors
- Relays.
The Controller is the central coordination component for Twingate. It's a multi-tenant component that stores configuration changes via the Admin console, registers Connectors, and issues signed authorizations to Clients making connection requests amongst other responsibilities.
The Client is installed onto user devices and acts as a combined authentication and authorization proxy for user requests for private Resources. The Client is where most of the decision-making takes place in a Twingate network deployment, with routing and authorization taking place at the edge within the Client.
The Connector is deployed inside your private network or behind your firewall, and takes care of validating the client connections and ACLs, and performing local DNS resolutions, among other things.
Finally, the Relay is the simplest component in the Twingate architecture. No data or network-identifiable information is stored in the Relay and no data-carrying connections are terminated at the Relay. It basically serves as a registration point for Connectors, and as a connection point for clients.
Step-by-Step Videos
Alright, enough talking. Let’s see this in action. We will start from scratch, installing the connectors, the client, and see how to use them all together.
1️⃣🎦 Demo setup overview
2️⃣🎦 Create a Twingate Network
3️⃣🎦 Installing the Twingate Connectors
4️⃣🎦 Add Resources to Twingate
5️⃣🎦 Twingate Clients Setup
6️⃣🎦 Connect to Private Resources
7️⃣🎦 Twingate Security and User Management
8️⃣🎦 Integration with Identity Provider (AAD, Okta, etc)
9️⃣🎦 Advanced Management: Devices and Policies
Pricing
As I’ve mentioned before, you can start with Twingate completely for free! And you can keep it free forever if you don’t need more than 5 users or more than 2 remote networks.
However, with the free tier you will miss out on the most innovative and useful features. If you want to have resource-level access policies or integrate with your identity provider, for example, or if you need to have it rolled out to more users, more devices, or more remote networks... then you’ll have to go to one of their paid plans.
And as you have seen that can be even for unlimited users, devices, and remote networks... But remember to factor in the cost of your deployed connectors as well, as we have seen before.
Try out Twingate today and start securely accessing your private resources: https://geni.us/twingate
Conclusions
There is so much more about the service we could explore, like for example use Twingate to remotely connect to a NAS, using it as an access control mechanisms for Staging Environments, even use it for securing SaaS applications... let me know in the comments below if you wanna see more about it and I’ll try and make another article/video about Twingate.
So, what do I think about this service? I do like it and I think it is on a whole new level if compared to standard VPN solutions.
One thing I’d love to see implemented is some sort of automated provisioning of the connectors, with Twingate using the cloud provider APIs to deploy it for you. This may not apply to more enterprise level users, where we normally prefer having more control over the deployments, but I think smaller users could benefit from something like that.
Let me know in the comments below what your thoughts are about Twingate, and if you will consider using it instead of a normal VPN... or if you are already using it or some other Zero Trust Networking solution.
Finally, check out this video in which I talk about DevSecOps and how to do it properly.
Like, share and follow me 🚀 for more content:
📽 YouTube
☕ Buy me a coffee
💖 Patreon
📧 Newsletter
🌐 CoderDave.io Website
👕 Merch
👦🏻 Facebook page
🐱💻 GitHub
👲🏻 Twitter
👴🏻 LinkedIn
🔉 Podcast