Restrict AWS Client VPN Access

We already have a AWS Client VPN Setup, which is working as expected.

My On Prem team is able to connect with AWS Client VPN and access Cloud Resources.

Now my management wants to restrict AWS Client VPN access from our corporate office only.

I tried it by making changes to Security Group associated with my AWS Client VPN endpoint by allowing only access from our corporate office CIDR. But when I tested, it is not working as expected, my other team members was able to access the EC2 over VPN from outside our on-premises network.

Even I tried keeping the entire in-bound rule as blank, but still I was able to SSH into my EC2 instance.

Is there a way, to restrict access for AWS Client VPN, so that it is accessible only from my corporate office, or a way to restrict that the traffic going from VPN should only be from my on-premises network.

Topics

Networking & Content Delivery

Tags

Amazon VPC Networking & Content Delivery Security Group AWS Client VPN

Language

English

Shivkumar

asked a month ago305 views

1 Answer

Newest
Most votes
Most comments

Accepted Answer

Hello.

By enabling the client connect handler and creating a Lambda that rejects connections other than a specific public IPv4 address, you can limit connections to only those from the office.
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/connection-authorization.html

EXPERT

Riku_Kobayashi

answered a month ago

EXPERT

Oleksii Bebych

reviewed a month ago

EXPERT

Gary Mclean

reviewed a month ago

Shivkumar
a month ago
Thanks Riku for the prompt response, allow me to check this implementation and get back to you.
Shivkumar
a month ago
Hello Riku, it is working as expected, but one small question, then what is the use of the firewall associated with the AWS Client VPN? Which traffic it is controlling?
Riku_Kobayashi EXPERT
a month ago
It may be used to control which AWS resources a user can access as described in the following documentation: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/security-best-practices.html

Use security groups to control which resources users can access in your VPC. For more information, see Security groups.

Relevant content

AWS VPN client is not connecting
Arun Kumar
asked a year ago
Client VPN access to VPC
morleyz
asked 3 years ago
AWS Client VPN with OKTA
rePost-User-8429258
asked 2 years ago
Enterprise VPN Client needed to connect to AWS Client VPN Endpoint
Rob
asked 2 years ago
How does DNS work with my AWS Client VPN endpoint?
AWS OFFICIALUpdated a year ago
How do I delete or terminate a Client VPN endpoint or connection on AWS Client VPN?
AWS OFFICIALUpdated 2 years ago
How can I provide my Client VPN users with access to AWS resources?
AWS OFFICIALUpdated 2 years ago
How can I revoke access to a Client VPN endpoint for a specific client?
AWS OFFICIALUpdated a year ago
AWS Client VPN connection and traffic flow handling simplified
EXPERT
Karthikiran Ilango
published 9 months ago
Use AWS Client VPN to access workloads running on VMware Cloud on AWS
EXPERT
Sawab Ahmed
published 9 months ago