Read about OpenEMR's Response to the COVID-19 Pandemic at https://www.open-emr.org/covid19/

Using VPN vs TLS enabled webserver, which is better?

It costs more to implement, a VPN solution on AWS than it would to use say, Let’s Encrypt to update the webserver with SSL/TLS certs. Both encrypt traffic, yet one relies on extra sources of security such as a couple of certs/keys and username and password, the latter just allows any ip to connect to the webserver and this connection is encrypted.

Does it make sense or is it redundant to utilize a VPN when you can use security groups, finely tuned to say allow inbound https access to the webserver from known IP’s of your remote office?

Im amazed at how well security groups can work to make security better in the cloud.

But back to my question/scenario… Should we implement VPNs to remotely access servers or is it okay to face our webserver running openemr up front on the internet with lets encrypt certs + limited access via security groups?

Thank You.

Security groups boil down to IP whitelisting, and that’s not a bad answer for user control. You might explore 2FA authentication or possibly even client certificates if you want alternatives to users having to log into a VPN.