By using AWS re:Post, you agree to the Terms of Use

Client VPN Endpoint Authorization rules do not work as I intend to

0

I set Client VPN Endpoint ragarding this article. (https://aws.amazon.com/ko/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/) With just simple example of authorization rules, it does work well. But I added some rules more, it does not. Here is my examples.

AWSSSO Group:

  • Group1 : can access all ip ranges in VPC (10.1.0.0/16)
  • Group2 : can access only Private Subnet 2 (10.1.255.192/27)

VPC settings:

  • VPC: 10.1.0.0/16
  • Private Subnet 1: 10.1.0.0/18
  • Private Subnet 2: 10.1.255.192/27
  • ...

Authorization rules:

  1. Destination network to enable access: 10.1.0.0/16, Grant access to: Allow access to users in a specific group, Access group ID: Group1 ID
  2. Destination network to enable access: 10.1.255.192/27, Grant access to: Allow access to users in a specific group, Access group ID: Group2 ID

With this configurations, Group2 can access to 10.1.255.192/27 well but Group1 can not access to 10.1.255.192/27(included in range of 10.1.0.0/16). I don't know why Group1 can not access to 10.1.255.192/27. Please tell me who knows why it happens.

1 Answers
1
Accepted Answer

Hello,

What you are seeing is expected behavior.

See below 2 sections and example from the link I shared:


Note

Client VPN uses longest prefix matching when evaluating authorization rules. See the troubleshooting topic Authorization rules for Active Directory groups not working as expected and Route priority in the Amazon VPC User Guide for more details.

Problem

I have configured authorization rules for my Active Directory groups, but they are not working as I expected. I have added an authorization rule for 0.0.0.0/0 to authorize traffic for all networks, but traffic still fails for specific destination CIDRs.

Cause

Authorization rules are indexed on network CIDRs. Authorization rules must grant Active Directory groups access to specific network CIDRs. Authorization rules for 0.0.0.0/0 are handled as a special case, and are therefore evaluated last, regardless of the order in which the authorization rules are created.

For example, say that you create five authorization rules in the following order:

  • Rule 1: Group 1 access to 10.1.0.0/16
  • Rule 2: Group 1 access to 0.0.0.0/0
  • Rule 3: Group 2 access to 0.0.0.0/0
  • Rule 4: Group 3 access to 0.0.0.0/0
  • Rule 5: Group 2 access to 172.131.0.0/16

In this example, Rule 2, Rule 3, and Rule 4 are evaluated last. Group 1 has access to 10.1.0.0/16 only, and Group 2 has access to 172.131.0.0/16 only. Group 3 does not have access to 10.1.0.0/16 or 172.131.0.0/16, but it has access to all other networks. If you remove Rules 1 and 5, all three groups have access to all networks.

Solution

Verify that you create authorization rules that explicitly grant Active Directory groups access to specific network CIDRs. For example If you add an authorization rule for 0.0.0.0/0, keep in mind that it will be evaluated last, and that previous authorization rules may limit the networks to which it grants access.

Reference: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-rules.html

profile picture
answered 23 days ago
  • Thank you for your kind explanation. As you say, Should I remove Authorization rule1(Destination network to enable access: 10.1.0.0/16, Grant access to: Allow access to users in a specific group, Access group ID: Group1 ID) and add rule(Destination network to enable access: 10.1.255.192/27, Grant access to: Allow access to users in a specific group, Access group ID: Group1 ID) for Group1 to access 10.1.255.192/27 IP range? right?

  • Yes, if you add more specific rule it should work.

  • You saved me. Thanks a lot.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions