I wanted to touch briefly on the security concerns for having Scalr accessible via the Internet. If you are running your own install of Scalr this is an important factor before even adding the first farm. For my own sake I will not getting into my exact setup, but instead talk about a few approaches to locking down access to Scalr.
Possibly the best approach is to limit access to Scalr interface to internal network requiring users to use OpenVPN or some other VPN solution to access internal resources which would include Scalr. If you are hosting Scalr on an AWS instance be sure to set the security group to only allow the port you are running for VPN. You can find a quick and dirty howto for OpenVPN on an EC2 instance at Google Books.
Another option is to use SSL and mod_access (Apache 1.3) or its renamed equivalent in Apache 2.2 mod_authz_host to limit those who have access to Scalr interface. You should for sure at least use SSL to access Scalr. You can also add a layer of authentication for good measure using Apache Basic Authentication.
Being that Scalr controls the rest of your AWS setup it is by far the one thing you want to lock down as much as possible.
Saw this article when looking for information on using OpenVPN with Amazon Web Services. It is not exactly what I am looking to do with my latest project. But it is some good helpful information for those with existing infrastructure looking to use AWS. There is also VPN-Cubed which is another option if looking for a supported product. I have not used it but would love to hear some comments by those who have.
I found the setup and configuration of OpenVPN to be very easy and straight forward. Much easier than setting up IPSec for sure. It was as easy as doing a yum install openvpn then editing the configuration file to fit my needs. One thing I also installed was the OpenVPN Webmin module. The way I use Webmin is to set it up to use SSL after installing it. Then I run it once I log in via SSH to a server. That way it is not running continuously, nor do I keep it on the default port of 10000.
Once the server is configured it is quite easy using the Webmin module to create a CA (Certificate Authority) and generate certs. Another function the module does well is generate a zip file with the needed keys and a client config file for the user you create. This makes is easy to maintain a large list of VPN users. Some clients I use in our environment:
I have found from testing that even with the use of 2048bit keys performance is very good. By forcing users connected to use our internal DNS servers people can access our intranet sites easily from anywhere.