When you associate the first target network with a Client VPN endpoint, we automatically apply the default security group of the VPC in which the associated subnet is located. You can however change the security group(s) for the Client VPN endpoint. The security group rules that you require depend on the kind of VPN access you want to configure.
Let’s take a look at the usage of Client VPN Security Group with an example below:
- To control user traffic at the Client VPN Endpoint level, you will need to configure 'Outbound' rules on the Security Group associated with your Client VPN Endpoint.
In the example scenario below, if you want to grant access to users connected to the Client VPN endpoint for a specific EC2 instance and port (e.g., SSH port 22), you can modify the 'Outbound' rules of the Client VPN Security Group (referred to as Security Group A in the diagram) to allow SSH traffic on port 22 and specify the Private IP address of the target EC2 instance as the destination. These 'Outbound' rules within the Client VPN Security Group effectively grant or restrict access to traffic from the Client VPN endpoint, to destination/resources in your VPC and beyond.
Note: ‘Inbound’ Rules of the Client VPN Security Group are not checked as Security Groups are stateful in nature.
- The second use case of ‘Client VPN associated Security Group’ comes in the form of Security Group referencing https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-restrict.html#scenario-restrict-security-groups .
In the example scenario above, the Target EC2 has its own Security Group (referred to as Security Group B in the diagram) which should allow SSH traffic ‘Inbound’ for the Client VPN users. For this purpose, you can add an ‘Inbound’ rule to Security group B that allows access from Source = Security group A (Client VPN security group), thus allowing Client VPN users to access the Target EC2. This is a recommended way of providing access within the same VPC, rather than adding CIDR ranges.
Precautions and Best Practices
-
Impact on Other Resources: Adding or removing rules that reference the Client VPN Security Group can potentially grant or deny access for other associated resources in your VPC.
-
Dedicated Security Groups: For increased control and security, it is advisable to create a dedicated Security Group explicitly for use with your Client VPN endpoint, rather than sharing it with other resources.