Deploying a Zero Trust Architecture on Linode Cloud in Minutes

I joined Akamai in 2018 and I found a company that was innovating a lot, as it continues to do today. On top of the leading Edge CDN and Security Solutions, the company was investing in a new area of Enterprise Security, that nowadays is well known as Zero Trust Network Access (ZTNA): a Security Framework requiring all users, whether in or outside the organization's network, to be authenticated, authorized, and continuously validated for security posture before being granted or keeping access to applications and data.

This new paradigm of granting user access to specific applications and no more to entire networks made possible for Akamai itself and for its clients a robust security posture upgrade. We in Akamai are no longer using VPNs, but we use Enterprise Application Access (EAA), an Identity Aware Proxy built on the Akamai Architecture that matches the ZTNA Model.

Four years later, at the beginning of 2022, Akamai made the largest acquisition in its history: Infrastructure-as-a-Service (IaaS) platform provider Linode joined the Akamai family, with the goal to become the world’s most distributed computing platform. A great article by Tom Leighton, our CEO and Co-Founder, describes the importance of this major step of combining Edge and Cloud Architectures:

Akamai was?the first company to offer edge computing services. Now, with Linode, Akamai is expanding from delivering and securing applications to empowering developers to build on Akamai. With Linode, we’re taking the next major step in our evolution: marrying Linode’s experience in cloud computing with Akamai’s leadership in scale and security to create the world’s most distributed compute platform — making it easier for developers and businesses to build, run, and secure their applications.

So, what is the goal of this article? Having in mind two of the most important Akamai Innovations, EAA and Linode, I thought to start playing with them to deploy a Zero Trust Architecture on Linode in minutes... Let's start!

• First of All, Deploy a simple (internal) application on Linode. I used a Nanode Instance in Frankfurt (DE) with Centos Stream 9, but please be aware you can find several instances types in Linode to match your needs. I installed Apache and then I created a simple HTML Page. To install Apache you can find several links on Google, I ran the following commands.

sudo dnf install httpd httpd-tools
sudo systemctl start http
sudo systemctl enable httpd
sudo systemctl status httpdd        

• Create and download a Connector in Linode. The?EAA connector is a virtual appliance deployed behind the firewall in your cloud environments (or Data Centers). It connects an authenticated user with assigned enterprise applications, and it needs Dial-out connectivity to the internet over port 443 (so yes, you can have your FW completely closed in inbound). Here you can find the connector Specs, the VM should have a minimum of 4 cores and 8 GB of RAM (as of Sept 2022). You can choose between different types of deployment including VMware, VirtualBox, AWS EC2, MS Azure, Google GCE, and many others.

• Install the Connector on Linode. In my case, I used a Docker Connector as it has been really simple to go into the Linode Marketplace, Choose the Docker App, Load and then Run the Image on the Linode VM. Here you can find all the detailed Steps. The Docker APP is up and running! FYI, I started using a 4 CPUs / 8 GB RAM Connector as specified in the Tech Docs for the minimum size of the VM. Then, since my environment is for Demo only and the CPU was really quiet, I decided to downgrade the Linode VM to a 2 CPUs one. I was expecting some hard work, but the Linode tech guides came to my rescue with this simple procedure.

Good, We deployed the (internal) APP and the EAA Connector, let's go on!

• Create and deploy an?Identity Provider (IdP). Identity Providers offer user authentication as a service. They create, maintain, and manage identity information for users in a cloud. You can choose between several Identity Providers, EAA can be integrated with the most used Identity Providers for authentication and Authorization purposes. In my case, since it's a demo, I chose Akamai as IdP, it's equivalent to going in manual mode, without integrating any external IdPs. In the configuration section of EAA you will need then to configure some important settings, like the Preferred Akamai Geo Region (Frankfurt in my case as the APPs and the Connector are there), the Session duration, the MFA setup (Mail in my case as second-factor authentication). You have also to choose the Hostname to which your users will connect, authenticate and find all the APPs for which they have the rights. You can use your own domain or an Akamai domain (something.login.go.akamai-access.com).
• Add users to the?EAA Cloud directory, and Associate the directory to the IdP. We are not using any external IdP, but the "internal" Cloud Directory of EAA. We just need to add a user with his mail and associate or link that list of users to our IdP. Done!

• Configure the Application. You can select different types of Applications, both Access Apps and SaaA Apps. In my case, I selected Custom HTTP. Then you can link your IdP, check the MFA Setting, and configure the Domain to which the users will be connected. Like in the IdP setting, you can choose between your domain and Akamai Domain; I selected the first one to use my own domain, and before doing that I uploaded a valid HTTPS Certificate with a match on the hostname chosen.

OK, we're done! Now it's time to TEST all the workflow.

• Connect to the IdP Hostname, a Login Interface should appear. Insert your Mail and your Password. (Oh Yes, The photo was taken by me in the Langhe Region in North-West Italy, the land of famous wines like Barolo and Barbaresco! Check out my website for other pictures of Langhe)

• Confirm your Identity using MFA; Mail in my case. Insert the Authentication Code that you received via Mail and Click Verify, you can also tick "remember me" so your browser will recognize you at the next access.
• Finally, you should be able to see the landing page with all the applications you have set up previously and for which you are authorized.

• Click on the APP you would like to connect to, and Voilà! The Game is done! Your APP is ready to be used and most important you have deployed a Zero Trust Network Access Architecture!

P.S.: Remember to close your Linode FW associated with the EAA Connector for the inbound Connections. You can drop all the inbound traffic since the EAA connector will perform a Dial-Out connection to the internet on port 443 to the Akamai EAA Infrastructure.

I hope you enjoyed reading this article as much as I enjoyed playing with Zero Trust and Linode. For any additional information refer to these links or write me!

• https://techdocs.akamai.com/eaa/docs/welcome-eaa
• https://www.linode.com/docs/guides/docker-images-containers-and-dockerfiles-in-depth/
• https://www.linode.com/
• https://www.akamai.com/