Questions tagged with AWS Client VPN
Content language: English
Sort by most recent
Browse through the questions and answers listed below or filter and sort to narrow down your results.
Now I configured
-Route 53 for private hosted zone
—add A record with domain name and IP of EC2
-Create EC2 running web-service
-vpn client endpoint with split tunnel
How Can I use vpn with dns service for call private domain of ec2 ?
Hello! I've recently setup a Client VPN. Authentication is done using AWS SSO (IAM Identity Center).
I have downloaded the ovpn file and installed the AWS client. All works perfectly! I have tried loading the ovpn into other clients, such as OpenVPN or TunnelBlick, but both fail to work. Is it because of the federated authentication? If yes, can it be fixed?
DISCLAIMER: I am still a noob in this area so forgive me in advance for any wrong concept I may have.
A little bit of context of what I am trying to do...right now, we have an in-house big server with VMWare Workstation Pro and many VMs. Aside from that we have a hardware VPN. The VMWare VMs are all for internal usage (they are not accesses from outside) and the only way we connect to them is via the VPN and
local IPs.
We are now trying to move to AWS. For example, each VMWare VM will be replaced by a EC2 instance, etc. So far, I have a VPN setup following this [guide](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html#cvpn-getting-started-routes). I can connect to the VPN from my Mac and everything works perfectly (I can access each EC2 instance with their private IPs etc). Additionally, I can confirm also that both, my Mac as well as EC2 instances do have access to internet while connected to the VPN.
However, for this to work, all my EC2 instances need to have a public v4 IP. And I don't really want them to have a public IP for these EC2 instances because of security reasons. I don't want these machines to be "seen" from outside as they are completely for internal usage and only accessed from the VPN. For example, as for right now, with the public IP I can still SSH/ping/whatever them. That's what I don't want.
My first experiment was to remove the public IPs from the EC2 instance. This bring the security aspect I want and I can access the machine with the private IP and the VPN. However.... the EC2 instance cannot connect to Internet when I do this.
From what I have been reading, I need a NAT Gateway. The problem is that I am not sure how to setup this in combination with the VPN setup I have.
Currently, this is what I have:
* I have a VPC with IPv4 CIDR 172.31.0.0/16 and 3 public subnets, one for each AZ (Availability Zone). That is, us-east-2a (172.31.0.0/20), us-east-2b (172.31.16.0/20) and us-east-2c (172.31.32.0/20).
* All EC2 instances are created within the us-east-2a (172.31.0.0/20) subnet.
* The VPC has an internet gateway attached.
* I have a Client VPN endpoints with Client CIDR 10.0.0.0/22 and it has one of the subnets associated as "Target network associations". The one with us-east-2a (172.31.0.0/20).
* The endpoint has a security group which does have a Outbound rules to allow all traffic.
* The endpoint has a "Authorization rules" to allow all the VPC and Destination CIDR 172.31.0.0/16 and another rule for destination 0.0.0.0/0.
* The endpoint has a "Route table" to allow all traffic for the selected subnet (172.31.0.0/20)
Any help would be appreciated.