Restrict a Cloudfront distribution to only ClientVPN users


I need to restrict access to a Cloudfront distribution to clientVPN users only. Idea I had was to connect them to a VPC into a NAT, and add the IP address of the NAT in the approved Ip access list of the Cloudfront, so that only them can access. Issue is that I need to put a route for this NAT into the Clientvpn - otherwise they will route it through the split tunnel through their internet. I could not find what is the best way to achieve. that last bit without having to disable split tunnel. We are using Transit Gateway and a shared networking account.

1 Answer

What would be benefit of using CDN here? The Client VPN terminates inside a VPC. So your traffic would be Client -> ClientVPN into VPC -> Nat Gateway in VPC -> Out to Cloudfront PoP -> Into your Loadbalancer or S3 bucket in region. This makes an extra jump from region to Cloudfront PoP that adds latency to your connection.

In this case if you want to restrict a service to work just with the ClientVPN, make them connect to your service directly inside the private address space. For example creating a private ELB and allowing access to that from ClientVPN.

profile pictureAWS
answered 2 years ago
  • Here are a couple of situations where it makes sense to use cloudfront over your client vpn:

    1. You are using Lambda @ Edge for your workload and want to spin up a dedicated tenant that is inaccessible over the internet without changing the application.
    2. You want to test complex reverse proxy functionality using cloudfront functions.
    3. Your CloudFront distribution is meant to be used as a VPC-only caching layer for in a multi-region deployment to provide a centralized endpoint to remove the need to make every region aware of every other region's cache.

    CloudFront is no longer simply a cache. It is a complex solution that allows you to do work at the edge globally, but it also lets you manipulate data in complex ways and provide a single pane of glass over lots of functions. It should support VPCs just like edge-optimized API Gateway endpoints do.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions