What you are seeing is expected behavior.
Refer the below 2 sections from the link shared.
Client VPN uses longest prefix matching when evaluating authorization rules. See the troubleshooting topic Authorization rules for Active Directory groups not working as expected and Route priority in the Amazon VPC User Guide for more details.
I have configured authorization rules for my Active Directory groups, but they are not working as I expected. I have added an authorization rule for 0.0.0.0/0 to authorize traffic for all networks, but traffic still fails for specific destination CIDRs.
Authorization rules are indexed on network CIDRs. Authorization rules must grant Active Directory groups access to specific network CIDRs. Authorization rules for 0.0.0.0/0 are handled as a special case, and are therefore evaluated last, regardless of the order in which the authorization rules are created.
For example, say that you create five authorization rules in the following order:
Rule 1: Group 1 access to 10.1.0.0/16 Rule 2: Group 1 access to 0.0.0.0/0 Rule 3: Group 2 access to 0.0.0.0/0 Rule 4: Group 3 access to 0.0.0.0/0 Rule 5: Group 2 access to 220.127.116.11/16
In this example, Rule 2, Rule 3, and Rule 4 are evaluated last. Group 1 has access to 10.1.0.0/16 only, and Group 2 has access to 18.104.22.168/16 only. Group 3 does not have access to 10.1.0.0/16 or 22.214.171.124/16, but it has access to all other networks. If you remove Rules 1 and 5, all three groups have access to all networks.
Verify that you create authorization rules that explicitly grant Active Directory groups access to specific network CIDRs. For example If you add an authorization rule for 0.0.0.0/0, keep in mind that it will be evaluated last, and that previous authorization rules may limit the networks to which it grants access.
Hope this helps !!
"It's not you, it's us" with Okta as IdP for AWS SSOasked 5 months ago
Client VPN Endpoint Authorization rules do not work as I intend toAccepted Answerasked 2 months ago
Does VPN Client endpoint really need authorization rules?asked 8 months ago
AWS SSO with GSuite external identify with AWS VPN Client Endpointasked 2 years ago
Using client vpn with Okta, session re-authenticates multiple times throughout the dayasked 6 months ago
Connecting a Linux box to AWS-VPN using OKTA Authentication/Authorizationasked 2 years ago
AWS Client VPN unable to set Authorization Route with Group ID using OktaAccepted Answerasked 8 months ago
Client VPN Authorization Rulesasked 4 years ago
AWS Client VPN with OKTAasked 2 months ago
AWS SFTP with Oktaasked a year ago