By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Restrict a Cloudfront distribution to only ClientVPN users

1

I need to restrict access to a Cloudfront distribution to clientVPN users only. Idea I had was to connect them to a VPC into a NAT, and add the IP address of the NAT in the approved Ip access list of the Cloudfront, so that only them can access. Issue is that I need to put a route for this NAT into the Clientvpn - otherwise they will route it through the split tunnel through their internet. I could not find what is the best way to achieve. that last bit without having to disable split tunnel. We are using Transit Gateway and a shared networking account.

Topics
Networking & Content Delivery
Tags
AWS Transit GatewayShared VPCAWS Virtual Private Network (VPN)
Language
English
profile pictureAWS
Renato
asked 3 years ago6.9K views
2 Answers
1

What would be benefit of using CDN here? The Client VPN terminates inside a VPC. So your traffic would be Client -> ClientVPN into VPC -> Nat Gateway in VPC -> Out to Cloudfront PoP -> Into your Loadbalancer or S3 bucket in region. This makes an extra jump from region to Cloudfront PoP that adds latency to your connection.

In this case if you want to restrict a service to work just with the ClientVPN, make them connect to your service directly inside the private address space. For example creating a private ELB and allowing access to that from ClientVPN.

profile pictureAWS
EXPERT
Toni_S
answered 3 years ago
  • Yehuda Cohen
    3 years ago

    Here are a couple of situations where it makes sense to use cloudfront over your client vpn:

    1. You are using Lambda @ Edge for your workload and want to spin up a dedicated tenant that is inaccessible over the internet without changing the application.
    2. You want to test complex reverse proxy functionality using cloudfront functions.
    3. Your CloudFront distribution is meant to be used as a VPC-only caching layer for in a multi-region deployment to provide a centralized endpoint to remove the need to make every region aware of every other region's cache.

    CloudFront is no longer simply a cache. It is a complex solution that allows you to do work at the edge globally, but it also lets you manipulate data in complex ways and provide a single pane of glass over lots of functions. It should support VPCs just like edge-optimized API Gateway endpoints do.

0

One of the use cases is to have a staging (non-prod) environment where we have the same setup as on production. However, for staging we would like to limit access for only IP's that is from our VPN network. Again, the target here is to limit access, it's acceptable that traffic will flow over the internet through HTTPS. This is a pretty common use case. Strange that AWS don't have support for it in base CloudFront setup.

However, it seems like it can be done using WAF, but enabling WAF on CloudFront only for this - sounds like a costly solution. If AWS can include the possibility to lock access only to a specific range of IP's in base CloudFront - it will be perfect. Otherwise we need to look at something like Cloudflare instead.

Yevhen Tienkaiev
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content