Implications of accessing a web app via a VPN
I have a cloud-hosted server that I can Remote Desktop into. I have a web application that is hosted on this server via IIS. I also have a backend server on this same server that runs to get backend data to the web application. The data is transferred from the backend to the web app via HTTP and not HTTPS. The web application is not meant to be accessed freely via the internet like a normal website. It's meant to be accessed more like a local resource in an intranet. We do however expose some ports once connected to a VPN.
In order to access this web application, you need to be connected to a VPN and then do one of the following:
Connect to the server via Remote Desktop and use the browser on the machine to access the web application by navigating to the server's local IP address (essentially localhost) in the browser
Navigate to the server's local IP address using the browser on your own local machine.
My questions
- What are the security implications of this architecture?
- Is having the VPN acting as a gateway to the resource enough of a security measure?
- Are there other things I should consider?
- What advice do you have that would help make this application more secure?
