Usage of Security Group associated with AWS Client VPN

3 minute read

Content level: Intermediate

When you associate the first target network with a Client VPN endpoint, we automatically apply the default security group of the VPC in which the associated subnet is located. You can however change the security group(s) for the Client VPN endpoint. The security group rules that you require depend on the kind of VPN access you want to configure.

Let’s take a look at the usage of Client VPN Security Group with an example below:

To control user traffic at the Client VPN Endpoint level, you will need to configure 'Outbound' rules on the Security Group associated with your Client VPN Endpoint.

In the example scenario below, if you want to grant access to users connected to the Client VPN endpoint for a specific EC2 instance and port (e.g., SSH port 22), you can modify the 'Outbound' rules of the Client VPN Security Group (referred to as Security Group A in the diagram) to allow SSH traffic on port 22 and specify the Private IP address of the target EC2 instance as the destination. These 'Outbound' rules within the Client VPN Security Group effectively grant or restrict access to traffic from the Client VPN endpoint, to destination/resources in your VPC and beyond.

Note: ‘Inbound’ Rules of the Client VPN Security Group are not checked as Security Groups are stateful in nature.

Enter image description here

The second use case of ‘Client VPN associated Security Group’ comes in the form of Security Group referencing https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-restrict.html#scenario-restrict-security-groups .

In the example scenario above, the Target EC2 has its own Security Group (referred to as Security Group B in the diagram) which should allow SSH traffic ‘Inbound’ for the Client VPN users. For this purpose, you can add an ‘Inbound’ rule to Security group B that allows access from Source = Security group A (Client VPN security group), thus allowing Client VPN users to access the Target EC2. This is a recommended way of providing access within the same VPC, rather than adding CIDR ranges.

Precautions and Best Practices

Impact on Other Resources: Adding or removing rules that reference the Client VPN Security Group can potentially grant or deny access for other associated resources in your VPC.
Dedicated Security Groups: For increased control and security, it is advisable to create a dedicated Security Group explicitly for use with your Client VPN endpoint, rather than sharing it with other resources.

Topics

Networking & Content Delivery

Relevant content

AWS Client VPN connection and traffic flow handling simplified
EXPERT
Karthikiran Ilango
published 6 months ago
Secure way to set up IPsec VPN between IBM Cloud and an AWS-managed VPN endpoint with static routing
EXPERT
Vinay Gugueoth
published 6 months ago
Use AWS Client VPN to access workloads running on VMware Cloud on AWS
EXPERT
Sawab Ahmed
published 6 months ago
VPN Client endpoint authorization rules with client certificates
Accepted Answer
icelava
asked 6 months ago
Client VPN Security Groups rule for Client CIDR
rePost-User-7852577
asked 2 years ago
Client VPN endpoints
James Wilson
asked a year ago
How can I provide my Client VPN users with access to AWS resources?
AWS OFFICIALUpdated a year ago
How does DNS work with my AWS Client VPN endpoint?
AWS OFFICIALUpdated 9 months ago
How do I associate a target network with a Client VPN endpoint?
AWS OFFICIALUpdated 8 months ago
How do I use the AWS CLI to configure a Client VPN?
AWS OFFICIALUpdated 5 months ago