AWS SSO VPN accessing VPC in another Account

Hi there,

I have 2 AWS Accounts:

I've created a Client VPN Endpoint application in Management (SSO).

I have few users in SSO (Management) that need to access an EKS Cluster in Dev account.

My Client VPN needs to associate with private subnets in another account.

I see 2 possible solutions:

Does anyone have another option?

Or tell me which of the two could be the best.

주제

태그

언어

English

질문됨 4달 전293회 조회

2개 답변

수락된 답변

You should keep your management account as empty as possible.

I would deploy a central AWS Network account and VPN into there and then either use transit gateway or VPC peering to dev.

전문가

답변함 4달 전

Emmanuel
4달 전
Agree, but in this case I'm not able to use VPN on SSO, right?
Gary Mclean 전문가
4달 전
No that’s not correct. You can still have SSO on the VPN
Gary Mclean 전문가
4달 전
In the network account in IAM you setup an IDP pointing to your SSO and then the vpn client is configured to use the IDP in iam and it all works. I’ve set this up before with azure AD SSO. What’s your SSO provider?

Hi Gary,

Sorry for late and thanks for helping!

I'm using AWS SSO.

I've created a Networking Account and Shared the Private Subnets with MGMT Account via RAM.

Now I'm using the VPN in MGMT account (with SSO) accessing the EKS Cluster (private).

답변함 4달 전

Emmanuel
4달 전
I'll try to follow your recommendation and move the VPN to the Networking Account and setup an IDP in this account authenticating with the MGMT SSO.
Gary Mclean 전문가
4달 전
No worries you should keep your management account as empty as possible and use workload accounts for things such as eks and network account for networking stuff. It follows AWS SRA. Transit gateway is great for your use case but does cost to run it. Any questions please just shout.

관련 콘텐츠