Client VPN Authorization Rules

Question

I have clients setup with mutual authentication and looking to setup some authorization rules but hitting an issue where the authorization rules don't seem to work for anything smaller than /16 subnet.  
  
For example I have the following setup  
  
Networks  
VPC Network  - 10.1.0.0/16  
  
**Client A** - Member of AD Group A   
**Client B** - Member of AD Group B  
  
**AD Group A** has authorization rule to allow access to 10.1.1.0/24  
**AD Group B** has authorization rule to allow access to 10.1.0.0/16  
  
Route Table has route to 10.1.0.0/16   
  
Client A and B are both able to connect successfully   
  
Client B can ping 10.1.1.1 but Client A cannot  
  
If I change the authorization rule for **AD Group A** to match **AD Group B** the ping works.   
  
Seems like I am missing something or there is an issue with the authorization interpretation of smaller subnets.  
  
Edited by: Hockercs on Feb 15, 2019 9:25 AM

Answer

The authorization rule order is significant and once a network match is found it stops processing additional rules.    
  
So authorization rule for 10.1.1.0/24 must appear higher in the list than 10.1.0.0/16.   
  
Also for Client B that should have access to the entire 10.1.0.0/16 subnet those users will need to be members of both AD Group A and AD Group B in order for them to get access to 10.1.1.0/24 and the rest of the /16 subnet.

Client VPN Authorization Rules

関連するコンテンツ