- Newest
- Most votes
- Most comments
Seems like this was the fix:
- Creating a Security Group Explicitly for the Client-VPN
- Attach Security Group (CVPN SG) to the Client-VPN-Endpoint under Security Groups
- Create some Outbound rules for the CVPN SG depending on your use case
- Create Some Inbound rules on the Application/EC2 Security Group to allow inbound from that specific security group only.
- Test accessible via VPN and not on public internet (works as expected but only to the internal IP which is fine for this use case!)
Thanks
You have not mentioned the security group on the VPN Client. Have you created the correct Inbound rules here for traffic from the Client VPN to the VPN/VPC?
Hi Gary, Yes I've allowed inbound rules to cover the required ports here inbound and outbound.
And your connecting to the private IP of the EC2?
Can you detail what subnets you configured on the Ec2 for inbound access? Note, you dont use the VPN CIDR Range here!
yes so I've configured the Client VPN Subnet for inbound access, We are trying to access the IP of the application that's hosted on the Elastic IP from 10.230.0.0/22 (Client-VPN)
Currently it's just using http on port 8080 so it will look something like this:
http://52.11.241.254:8080/ (Not the actual IP I've changed some numbers around but just to understand the application and how it works)
The end goal is to have an Route53 forwarding traffic on a DNS name to an NLB listening on 443 and have acm manage certificates so it will be handled that way.
The idea is for a Client to access this Archive Parser app on the Client VPN so It's completely private and not open to the world as it will have some sensitive data.
When you say VPN Subnet. Is that the one defined on the VPN Endpoint?
Relevant content
- asked 2 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
Exactly what my last comment said.