- Newest
- Most votes
- Most comments
You can attach a security group to a Client VPN attachment that you can use to grant network accesses. But this security group is shared for all users that connect via this Client VPN endpoint.
If you provide this endpoint for multiple users via Active Directory authentication you can defined more fine grained network access via these authorization rules. They allow you to limit the access for users with certain Active Directory group memberships to certain IP address ranges. You can find examples for such configurations in the user guide: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-rules.html#cvpn-working-rule-authorize
Hello,
You should use authorization rules always, specifically when you want to have grain control to who can access what.
Let me give you an example, if you have 3 different groups of users, let's say: Developer Group, HR group and Admin Group. It is a best practice to attach different access controls or "rules" to each group, to limit which network they can have access to.
As I mentioned above, you should use it, but it is not mandatory. In this case, you can access your private resources because you have a route table associated to your client VPN endpoint that explicitly says that all the traffic targeting this X private CIDR, will be routed through the endpoint.
Hope it helps.
I am seeing the same behaviour which contridicts the documentation https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/auth-rule-example-scenarios.html
grr
Relevant content
- asked a month ago
- Accepted Answerasked 5 months ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
Thank you for answering Andreas! I read the guide you attached, but there were no notices that what happend if there were no rules.
You mean that client vpn users can access private resources without adding any authorization rules if client vpn enpoint has security group allowed to access private resources, right?