0

I created a client VPN endpoint which uses Active directory as an authentication method.

This client VPN is supposed to allow access to private resources on our AWS VPC.

Now I understand that the "Target network associations" have security groups to control access to the target network which works together with the "Authorization Rules".

One thing I cannot seem to achieve is to Authorize specific ports (or maybe assign specific security groups) on a "Group ID" level.

The reason behind this is:

  1. I want business users to be able to connect to the vpn and access apps over port 80.
  2. I want developers to be able to connect to the vpn and access app over port 80 and access SSH on port 22.

Is there a way to achieve this?

I understand I can easily create 2 vpn endpoints, 1 for users and another for developers as a fallback but I ideally I want to achieve this with only a single VPN endpoint.

Vincent
  • 1
  • I haven't used Client VPN in a couple of years, but I don't think you can do that with one Client VPN. You'd have to use two, which doubles the already significant cost. I'd probably try to secure the targets - SSH should use certificate authentication, business users shouldn't have the keys so shouldn't be a problem in practice, but could be a compliance issue. – Tim Jul 16 '23 at 21:07

0 Answers0