WorkDocs, allow listing, and Client VPNs

0

Hello, I am trying to setup a user who is constantly on the go and changing IP addresses with WorkDocs. I thought I had a Client VPN setup to allow for the user to connect to the endpoint and then to the WorkDocs without worrying about changing the IP address in the WorkDocs admin console. But no luck there. I have split tunneling enabled on the VPN profile, which is what AWS Support recommended, and I deleted the route to the internet, which is also what Support recommended. So the only route is to the subnet where my WorkDocs lives. I feel like I must be missing something, anyone have an idea?

I would have thought it was more straightforward to assign a static Public IP to a client VPN than it actually is, so that doesn't seem to be an option.

已提問 2 年前檢視次數 317 次
2 個答案
0

Hello, You can configure the WorkDocs IP Address Access to only allow WorkDocs to be accessed from a specific list or range of IP address[1]. This can be completed in the WorkDocs Admin Console. You can select the IP address ranges from which you wish to provide access to and specify the ranges for your CVPN tunnel. 



There is a public documentation on "Managing site settings”[2] and see the section titled "IP Allow List" to configure this. 



[1] Amazon WorkDocs Now Lets You Control IP Address Access to Your Site - https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-workdocs-control-ip-address-access/

[2] Managing site settings - https://docs.aws.amazon.com/workdocs/latest/adminguide/manage-sites.html

Regarding your CVPN configuration query The Public IP assigned to CVPN will be used to connect the user end to CVPN end-point and not to NAT the user traffic towards WorkDocs subnet. You need to allow VPC CIDR range into the WorkDocs IP address Access list.



In order to get proper resolution for your use case we require details that are non-public information. Please open a support case with AWS using the following link.
 https://console.aws.amazon.com/support/home#/case/create

AWS
支援工程師
Babar
已回答 2 年前
  • Thank you very much. So #1 I did already do that. In this case my VPC subnet would be the private address range? Is that what you mean? So my Client VPN profile should have split tunneling enabled, correct?

    And beyond that my CVPN endpoint should have a route for the VPC CIDR as a Destination CIDR in the route table? And then a route to the internet? With that in place from your description it should work because the public IP the CVPN is using won't be used to access the WorkDocs site but the VPC CIDR range will be, so with that whitelisted it should work?

    I tried opening up a ticket on this, but it seemed to confused Support. I did open it under the Client VPN service, but they kept getting tangled up on the WorkDocs part of my question.

0

To answer your question, we require details that are non-public information. Please open a support case with AWS using the following link

AWS
支援工程師
Neha_S
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南