WorkDocs, allow listing, and Client VPNs


Hello, I am trying to setup a user who is constantly on the go and changing IP addresses with WorkDocs. I thought I had a Client VPN setup to allow for the user to connect to the endpoint and then to the WorkDocs without worrying about changing the IP address in the WorkDocs admin console. But no luck there. I have split tunneling enabled on the VPN profile, which is what AWS Support recommended, and I deleted the route to the internet, which is also what Support recommended. So the only route is to the subnet where my WorkDocs lives. I feel like I must be missing something, anyone have an idea?

I would have thought it was more straightforward to assign a static Public IP to a client VPN than it actually is, so that doesn't seem to be an option.

2 Answers

Hello, You can configure the WorkDocs IP Address Access to only allow WorkDocs to be accessed from a specific list or range of IP address[1]. This can be completed in the WorkDocs Admin Console. You can select the IP address ranges from which you wish to provide access to and specify the ranges for your CVPN tunnel. 

There is a public documentation on "Managing site settings”[2] and see the section titled "IP Allow List" to configure this. 

[1] Amazon WorkDocs Now Lets You Control IP Address Access to Your Site -

[2] Managing site settings -

Regarding your CVPN configuration query The Public IP assigned to CVPN will be used to connect the user end to CVPN end-point and not to NAT the user traffic towards WorkDocs subnet. You need to allow VPC CIDR range into the WorkDocs IP address Access list.

In order to get proper resolution for your use case we require details that are non-public information. Please open a support case with AWS using the following link.

answered 2 months ago
  • Thank you very much. So #1 I did already do that. In this case my VPC subnet would be the private address range? Is that what you mean? So my Client VPN profile should have split tunneling enabled, correct?

    And beyond that my CVPN endpoint should have a route for the VPC CIDR as a Destination CIDR in the route table? And then a route to the internet? With that in place from your description it should work because the public IP the CVPN is using won't be used to access the WorkDocs site but the VPC CIDR range will be, so with that whitelisted it should work?

    I tried opening up a ticket on this, but it seemed to confused Support. I did open it under the Client VPN service, but they kept getting tangled up on the WorkDocs part of my question.


To answer your question, we require details that are non-public information. Please open a support case with AWS using the following link

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions