I currently have 20 Windows VMs that are running on Amazon EC2. There are LOTS of people in the company that need ad-hoc RDP access to each one of these boxes. Occassionally I also run Unix instances, which again tend to have a lot of ad-hoc SSH access from a large number of users.
So now I have a problem... When these boxes run within my datacenter I can fully control them. I can specifically implement these controls:
Disable any outbound Windows or Unix traffic from a specific subnet to the public internet, so as to stop company data somehow flowing out of our premises.
Disable any inbound access from people's homes, as we do not permit inbound SSH or RDP onto our premises.
I thought of just 'privatizing' my EC2, by enabling VPC (VPN) connectivity. But I don't like this solution for many reasons, which include both cost and routing challenges to do with our specific network design.
Is there any other way to meet my goals? I definitey don't want to configure each machine to 'block' specific traffic behaviors or activities. That's a pain. One thought I had was to configure the Security Groups to somehow make traffic flow only in the 'right direction', but I'm unclear as to how this would be done...?