Does VPN Client endpoint really need authorization rules?

You can attach a security group to a Client VPN attachment that you can use to grant network accesses. But this security group is shared for all users that connect via this Client VPN endpoint.

If you provide this endpoint for multiple users via Active Directory authentication you can defined more fine grained network access via these authorization rules. They allow you to limit the access for users with certain Active Directory group memberships to certain IP address ranges. You can find examples for such configurations in the user guide: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-rules.html#cvpn-working-rule-authorize

Hello,

You should use authorization rules always, specifically when you want to have grain control to who can access what.

Let me give you an example, if you have 3 different groups of users, let's say: Developer Group, HR group and Admin Group. It is a best practice to attach different access controls or "rules" to each group, to limit which network they can have access to.

As I mentioned above, you should use it, but it is not mandatory. In this case, you can access your private resources because you have a route table associated to your client VPN endpoint that explicitly says that all the traffic targeting this X private CIDR, will be routed through the endpoint.

Hope it helps.

I am seeing the same behaviour which contridicts the documentation https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/auth-rule-example-scenarios.html

grr