How do I restrict access to Amazon VPC resources on my Site-to-Site VPN?

Resolution

Use one of the following methods to restrict access to Amazon VPC resources on a Site-to-Site VPN:

• Update the rules for the security group that's associated with your Amazon VPC resource.
• Update the rules for the network access control list (network ACL) that's associated with the resource's subnet.
• Configure the VPN connection options with an encryption domain.
• Create a blackhole route.
• Use firewalls on the customer gateway device.
• Use AWS Network Firewall.

Update your security group rules

Complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Security groups.
3. Select the security group that's associated with the VPN gateway.
4. Edit the inbound and outbound rules to allow only specific IP addresses or ranges to access the VPN.

For more information, see Control traffic to your AWS resources using security groups.

Update the network ACL rules

Complete the following steps:

1. Open the Amazon VPC console.
2. In navigation pane, choose Network ACLs.
3. Select the network ACL that's associated with the subnet.
4. Configure the rules to allow only necessary traffic.

For more information, see Control subnet traffic with network access control lists.

Configure the VPN connection options with an encryption domain

Modify the Site-to-Site VPN connection's IPv4 and IPv6 CIDR ranges to define the encryption domain. The default range is 0.0.0.0/0. You can also specify IPv4 and IPv6 connection options when you create a VPN connection.

Note: AWS VPN services support only one encryption domain. If the VPN includes multiple networks, then summarize the encryption domain on the customer gateway device to maintain only one pair of security associations. For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Create a blackhole route

Use a blackhole route, or null route, to drop all traffic that matches a specific route.

To create a blackhole route, complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Transit gateway route tables.
3. Select the route table that's associated with the VPN attachment.
4. Choose Actions, Create static route.
5. On the Create static route page, enter a CIDR block that contains the traffic that you want to restrict, and then choose Blackhole.
6. Choose Create static route.

Use firewall policies on the customer gateway device

On the customer gateway device, configure firewall rules to restrict traffic to necessary hosts or networks.

Use AWS Network Firewall

Use AWS Network Firewall to restrict traffic from specific hosts, CIDRs, protocols, ports, or port ranges. For more information, see Deployment models for AWS Network Firewall, and Using the NAT gateway with AWS Network Firewall for centralized IPv4 egress.

Note: You can use AWS Network Firewall for VPCs that use a centralized inspection model.