Client VPN Security Groups rule for Client CIDR

0

HI,

Im trying to restrict access to certain aws resources. Below is my scenario

  1. Client connects to Client VPN and gets assigned a from client CIDR 20.1.0.0/22
  2. Created SG to allow HTTP (port 80) from source CIDR 20.1.0.0/22
  3. Assign SG to ec2 instance and VPN Client endpoint

*To add, I have authorization rule in my VPN client to allow access to 10.1.0.0/16 which is my VPC CIDR.

Result: Client cannot access resource even when connected to Client VPN

But when my SG is set to allow HTTP (port 80) from source CIDR 0.0.0.0/22 then access is properly granted.

I was under the assumption that when I connect to the client VPN, I will be assigned an ip from the Client CIDR which is 20.1.0.0/22 and when I try to access protected AWS resources, the SG will grant/deny based on this.

Did I mis-configure anything?

Thanks!

2 個答案
1

AWS Client VPN (CVPN) by design does a Source NAT on the traffic coming from connected Clients, when entering the VPC. Hence, the Client IP is changed to an IP within the CVPN Target Subnet's Network CIDR. It is recommended to allow the CVPN Target Subnet's CIDR as Inbound Rule on your Security Group.

For example: Client CIDR 20.1.0.0/22 ---> Client VPN Endpoint ---> Target Subnet CIDR 10.1.1.0/24 ---> ( Client/user IP is Source NAT'ed to an IP within Target Subnet CIDR 10.1.1.0/24 ) ---> Configure Security Group to allow HTTP (port 80) from source CIDR 10.1.1.0/24 --> Destination EC2

One other way to allow access is using the Client VPN Security Group.

Configure destination Security Group to allow HTTP (port 80) from "Source=Client VPN Security Group"

profile pictureAWS
專家
已回答 10 個月前
0

Hello,

Please take a look at this Knowledge center article.

profile pictureAWS
專家
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南