Does VPN Client endpoint really need authorization rules?

1

Hello, I'm new to vpn client endpoint. When I just create vpn client endpoint and connect private subnet to vpn client endpoint, I can access to my ec2 instance using ssh connection with logging in aws vpn client.

What authorization rule means? Without any authorization rules, I can access my private resource. Why those rules needed? Please tell me when I should use authorization rules?

asked 2 years ago651 views
3 Answers
1

You can attach a security group to a Client VPN attachment that you can use to grant network accesses. But this security group is shared for all users that connect via this Client VPN endpoint.

If you provide this endpoint for multiple users via Active Directory authentication you can defined more fine grained network access via these authorization rules. They allow you to limit the access for users with certain Active Directory group memberships to certain IP address ranges. You can find examples for such configurations in the user guide: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-rules.html#cvpn-working-rule-authorize

EXPERT
answered 2 years ago
  • Thank you for answering Andreas! I read the guide you attached, but there were no notices that what happend if there were no rules.

    You mean that client vpn users can access private resources without adding any authorization rules if client vpn enpoint has security group allowed to access private resources, right?

1

Hello,

You should use authorization rules always, specifically when you want to have grain control to who can access what.

Let me give you an example, if you have 3 different groups of users, let's say: Developer Group, HR group and Admin Group. It is a best practice to attach different access controls or "rules" to each group, to limit which network they can have access to.

As I mentioned above, you should use it, but it is not mandatory. In this case, you can access your private resources because you have a route table associated to your client VPN endpoint that explicitly says that all the traffic targeting this X private CIDR, will be routed through the endpoint.

Hope it helps.

AWS
Dano
answered 2 years ago
0

I am seeing the same behaviour which contridicts the documentation https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/auth-rule-example-scenarios.html

grr

profile picture
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions