Client VPN Security Groups rule for Client CIDR



Im trying to restrict access to certain aws resources. Below is my scenario

  1. Client connects to Client VPN and gets assigned a from client CIDR
  2. Created SG to allow HTTP (port 80) from source CIDR
  3. Assign SG to ec2 instance and VPN Client endpoint

*To add, I have authorization rule in my VPN client to allow access to which is my VPC CIDR.

Result: Client cannot access resource even when connected to Client VPN

But when my SG is set to allow HTTP (port 80) from source CIDR then access is properly granted.

I was under the assumption that when I connect to the client VPN, I will be assigned an ip from the Client CIDR which is and when I try to access protected AWS resources, the SG will grant/deny based on this.

Did I mis-configure anything?


2 Answers

AWS Client VPN (CVPN) by design does a Source NAT on the traffic coming from connected Clients, when entering the VPC. Hence, the Client IP is changed to an IP within the CVPN Target Subnet's Network CIDR. It is recommended to allow the CVPN Target Subnet's CIDR as Inbound Rule on your Security Group.

For example: Client CIDR ---> Client VPN Endpoint ---> Target Subnet CIDR ---> ( Client/user IP is Source NAT'ed to an IP within Target Subnet CIDR ) ---> Configure Security Group to allow HTTP (port 80) from source CIDR --> Destination EC2

One other way to allow access is using the Client VPN Security Group.

Configure destination Security Group to allow HTTP (port 80) from "Source=Client VPN Security Group"

profile pictureAWS
answered a year ago


Please take a look at this Knowledge center article.

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions