By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Client VPN Authorization Rules

0

I have clients setup with mutual authentication and looking to setup some authorization rules but hitting an issue where the authorization rules don't seem to work for anything smaller than /16 subnet.

For example I have the following setup

Networks
VPC Network - 10.1.0.0/16

Client A - Member of AD Group A
Client B - Member of AD Group B

AD Group A has authorization rule to allow access to 10.1.1.0/24
AD Group B has authorization rule to allow access to 10.1.0.0/16

Route Table has route to 10.1.0.0/16

Client A and B are both able to connect successfully

Client B can ping 10.1.1.1 but Client A cannot

If I change the authorization rule for AD Group A to match AD Group B the ping works.

Seems like I am missing something or there is an issue with the authorization interpretation of smaller subnets.

Edited by: Hockercs on Feb 15, 2019 9:25 AM

Topics
Networking & Content Delivery
Tags
Amazon VPC
Language
English
chocker
asked 5 years ago131 views
1 Answer
0

The authorization rule order is significant and once a network match is found it stops processing additional rules.

So authorization rule for 10.1.1.0/24 must appear higher in the list than 10.1.0.0/16.

Also for Client B that should have access to the entire 10.1.0.0/16 subnet those users will need to be members of both AD Group A and AD Group B in order for them to get access to 10.1.1.0/24 and the rest of the /16 subnet.

chocker
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content