Private endpoints to Auth0 API from backend servers in restricted AWS VPC?

Does Auth0 offer anything like a VPC endpoint that would permit backend servers (hosted in a VPC that lacks outbound access to the internet) to contact the Auth0 API? Alternatively stated, is it possible to set up an AWS PrivateLink or VPC peering connection to Auth0 in a way that permits access to the API?

To prevent security vulnerabilities (including remote code execution and server-side request forgery) from exfiltrating sensitive data, it is a best practice to restrict connectivity of backend servers to the wider internet. This can be achieved for servers hosted at AWS by utilizing VPC endpoints that permit secure connection to specific services (S3, CloudWatch, Systems Manager), and then blocking all outbound access to the wider internet.

Unfortunately, a blocker to realizing this defense-in-depth scenario is if any server needs to access the Auth0 Authentication API (to exchange authorization codes/refresh tokens for access tokens) or the Auth0 Management API (to create/update/link users, create tickets, or any other administrative actions), as these APIs are hosted behind a CDN that necessitates connectivity to arbitrary IP addresses on the public internet.

Therefore I’m curious whether Auth0 offers any solution for AWS-hosted servers to connect to its APIs in a manner that does not require outbound access to arbitrary IPs on the public internet.

1 Like

In case it’s not immediately obvious why this defense-in-depth configuration is considered a best practice, I’ll note that servers lacking outbound access to the wider internet are/were already effectively protected against the Log4Shell vulnerability (quote: “the single biggest, most critical vulnerability ever”), even if the servers are running insecure versions of Log4j. Servers configured in this manner are similarly protected against all other vulnerabilities that require the server to access attacker-controlled resources on the internet.

1 Like