I created an AWS Client VPN endpoint which is connected to my VPC. I can access all EC2s inside my VPC and and set the EC2 security groups to allow traffic only from the VPN security group. I added an ingress rule to the HTTPS port of the Application Load Balancer with the VPN security group as source, just like I did for the EC2 ingress rules. But I can't access the ALB when connected to my VPN endpoint. I've also added the Client VPN CIDR block to the ALB security group. I'm also connected to the internet when connected to the VPN.
Asked
Active
Viewed 2,447 times
0
-
1I wonder if it is because the ELB's DNS Name is resolving to a public IP address rather than a private IP address? If you resolve the DNS Name (eg do a `ping` or `nslookup`), does the resulting IP address look like a public or a private IP address? Is the ELB also being used from the Internet? If not, it can be configured as an **Internal load balancer** instead of an Internet-facing load balancer. – John Rotenstein Apr 15 '20 at 08:40
-
Yes it is being used from the internet, with access limited to my company network. The IP address of the ELB is public. But I connect to my vpc through my vpn to do most of my work. And when I want to access the ELB I have to disconnect from the VPN. – user2443088 Apr 16 '20 at 06:36
-
1I suspect that it is because this is an Internet-facing ELB and the public IP address is not reachable via the VPN connection. You could create an "internal load balancer" in parallel to the public one, or figure out why the traffic isn't being routed to the public IP address of the ELB. – John Rotenstein Apr 16 '20 at 11:53