Client VPN Security Groups rule for Client CIDR

Question

HI,

Im trying to restrict access to certain aws resources. Below is my scenario

1.  Client connects to Client VPN and gets assigned a from client ***CIDR 20.1.0.0/22***
2. Created SG to allow HTTP (port 80) from source  ***CIDR 20.1.0.0/22***
3. Assign SG to ec2 instance and VPN Client endpoint

*To add, I have authorization rule in my VPN client to allow access to 10.1.0.0/16 which is my VPC CIDR.

Result: Client cannot access resource even when connected to Client VPN

But when my SG is set to allow HTTP (port 80) from source  ***CIDR 0.0.0.0/22*** then access is properly granted.

I was under the assumption that when I connect to the client VPN, I will be assigned an ip from the Client CIDR which is  ***20.1.0.0/22*** and when I try to access protected AWS resources, the SG will grant/deny based on this.

Did I mis-configure anything?

Thanks!

Answer

AWS Client VPN (CVPN) by design does a Source NAT on the traffic coming from connected Clients, when entering the VPC. Hence, the Client IP is changed to an IP within the CVPN Target Subnet's Network CIDR. It is recommended to allow the CVPN Target Subnet's CIDR as Inbound Rule on your Security Group.

For example: Client CIDR 20.1.0.0/22 ---> Client VPN Endpoint ---> Target Subnet CIDR 10.1.1.0/24 ---> ( Client/user IP is Source NAT'ed to an IP within Target Subnet CIDR 10.1.1.0/24 ) ---> Configure Security Group to allow HTTP (port 80) from source CIDR 10.1.1.0/24 --> Destination EC2

One other way to allow access is using the Client VPN Security Group.

Configure destination Security Group to allow HTTP (port 80) from "Source=Client VPN Security Group"

Answer

Hello,

Please take a look at this [Knowledge center](https://aws.amazon.com/premiumsupport/knowledge-center/client-vpn-give-users-resource-access/) article.

Client VPN Security Groups rule for Client CIDR

관련 콘텐츠