Restrict a Cloudfront distribution to only ClientVPN users
I need to restrict access to a Cloudfront distribution to clientVPN users only.
Idea I had was to connect them to a VPC into a NAT, and add the IP address of the NAT in the approved Ip access list of the Cloudfront, so that only them can access. Issue is that I need to put a route for this NAT into the Clientvpn - otherwise they will route it through the split tunnel through their internet. I could not find what is the best way to achieve. that last bit without having to disable split tunnel. We are using Transit Gateway and a shared networking account.