This article will show you how to create a TCP service to enable access to an internal database via the Banyan Access Tier so a user can conveniently yet securely connect using their favorite DB management tool
This guide uses the Amazon RDS database as an example. However, Banyan supports any TCP-based protocol; the same steps can be extended to any database.
Access to Infrastructure Services, such as SSH/RDP Servers, Kubernetes, Databases, and Generic TCP, is regularly needed by all Operations and Engineering team members. Traditionally, access relies solely on generating a long-lived passwords or, sometimes, long-lived SSH key-pair per user. Long-lived credentials and keys can be a security nightmare, given the ease with which they can be shared or lost.
With Banyan, you add on a modern mandatory access control layer that constantly evaluates the security posture of the device and integrates with your organization’s Single Sign On provider. All traffic to infrastructure services is transparently upgraded to Mutual-Auth TLS using short-lived X509 certificates. Security policies can then be continuously enforced, locking down access to specific servers based on user and device attributes and trust levels.
Access to Internal TCP Services
For this quick start guide we have a setup as in the diagram below:
A Banyan Access Tier is installed in the same network segment as the Database server to be exposed using Banyan. This guide uses an Access Tier named
A wildcard DNS record pointing to the Access Tier, so that the Access Tier can serve multiple services. This guide assumes the DNS record
*.corp.example.com maps to the
product-team Access Tier.
The Database server that needs to be exposed is running. This guide uses a host named
mydb with IP address
10.10.12.12 with the DB process listening on port
The Banyan User Directory should be configured to integrate with your Identity Provider.
The Database credentials for the users who need to need access
mydb have been provisioned and supplied to the users.
We will now enable secure access to the database in three steps.
1.1 Log in to the Banyan Command Center and navigate to Secure Access > Policies > Create New Policy.
1.2 Create a new Policy using the template Basic Authorization Policy for Users.
1.3 Enter a Policy Name (such as,
hosted-service) and a Description.
1.4 Configure the Policy Attributes:
2.1 Navigate to Manage Services > Infrastructure Services and then click + Register Service.
2.2 Select the template Database Service.
2.3 Enter the Service Name (such as,
AWS RDS) and Description (such as
Access to hosted AWS RDS service).
2.4 Click Select an Icon, then search for and select the AWS icon.
2.5 Select the cluster where the applicable Access Tier is located.
2.6 Configure the Service Attributes:
2.7 Configure the Service Connection Settings:
2.8 Attach the policy we had previously created in Step 1.4, and then set enforcement mode to
2.9 Click Register Service.
3.1 Launch the Banyan Desktop App, locate the hosted database (for example, Amazon RDS) server from the list of Infrastructure Services, and then click Connect.
3.2 Click into the service details and take note of the (
localhost:port) provided in the Banyan Desktop App (for example,
3.3 Launch your preferred database management tool (such as Microsoft SQL Server Management Studio, pgAdmin, phpMyAdmin, MySQL Workbench, etc.), and then create a new server using the
localhost:port noted in the previous step. If necessary, enter your credentials to authenticate.
Behind the scenes, Banyan evaluates your device posture, enforces your security policies, and grants access accordingly.
And, that’s it! You have created a Zero Trust policy for a remote database and accessed it conveniently using your preferred database management tool.