By using AWS re:Post, you agree to the Terms of Use
/Restrict a Cloudfront distribution to only ClientVPN users/

Restrict a Cloudfront distribution to only ClientVPN users


I need to restrict access to a Cloudfront distribution to clientVPN users only. Idea I had was to connect them to a VPC into a NAT, and add the IP address of the NAT in the approved Ip access list of the Cloudfront, so that only them can access. Issue is that I need to put a route for this NAT into the Clientvpn - otherwise they will route it through the split tunnel through their internet. I could not find what is the best way to achieve. that last bit without having to disable split tunnel. We are using Transit Gateway and a shared networking account.

1 Answers

What would be benefit of using CDN here? The Client VPN terminates inside a VPC. So your traffic would be Client -> ClientVPN into VPC -> Nat Gateway in VPC -> Out to Cloudfront PoP -> Into your Loadbalancer or S3 bucket in region. This makes an extra jump from region to Cloudfront PoP that adds latency to your connection.

In this case if you want to restrict a service to work just with the ClientVPN, make them connect to your service directly inside the private address space. For example creating a private ELB and allowing access to that from ClientVPN.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions