Cannot Route to EC2 Instance Via ClientVPN


Hello there,

I have created a client VPN with the intention of connecting from the CVPN to a VPC which will house an archive parser application hosted on an EC2 instance.

I can't seem to reach the instance from the VPN or vice versa, the VPN is setup and I can connect and obtain an IP Address and authentication seems fine (Federated SAML to AzureAD)

I've checked the following:

Security Groups (Set to allow incoming traffic from the specific subnet on the ports required), Network ACL's also configured Route Table via the Client VPN Settings and there is a default route to the VPC Subnet Target Network Association - is configured to the correct subnet Authorization Rules - Configured to the Subnet Required

The EC2 Instance has an elastic IP but we want to house an internal application and not have it publicly accessible

It's most likely some sort of routing issue but I'm struggling to identify where, when I run a traceroute from both machines there are maybe one or two hops then it fails.

Any help is appreciated.

asked 7 months ago388 views
2 Answers
Accepted Answer

Seems like this was the fix:

  1. Creating a Security Group Explicitly for the Client-VPN
  2. Attach Security Group (CVPN SG) to the Client-VPN-Endpoint under Security Groups
  3. Create some Outbound rules for the CVPN SG depending on your use case
  4. Create Some Inbound rules on the Application/EC2 Security Group to allow inbound from that specific security group only.
  5. Test accessible via VPN and not on public internet (works as expected but only to the internal IP which is fine for this use case!)

Enter image description here


answered 7 months ago
  • Exactly what my last comment said.


You have not mentioned the security group on the VPN Client. Have you created the correct Inbound rules here for traffic from the Client VPN to the VPN/VPC?

profile picture
answered 7 months ago
  • Hi Gary, Yes I've allowed inbound rules to cover the required ports here inbound and outbound.

  • And your connecting to the private IP of the EC2?

  • Can you detail what subnets you configured on the Ec2 for inbound access? Note, you dont use the VPN CIDR Range here!

  • yes so I've configured the Client VPN Subnet for inbound access, We are trying to access the IP of the application that's hosted on the Elastic IP from (Client-VPN)

    Currently it's just using http on port 8080 so it will look something like this: (Not the actual IP I've changed some numbers around but just to understand the application and how it works)

    The end goal is to have an Route53 forwarding traffic on a DNS name to an NLB listening on 443 and have acm manage certificates so it will be handled that way.

    The idea is for a Client to access this Archive Parser app on the Client VPN so It's completely private and not open to the world as it will have some sensitive data.

  • When you say VPN Subnet. Is that the one defined on the VPN Endpoint?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions