I have set up a VPC with two public and private subnets, I've got an ALB in the public subnet and a service running in the private and being routed to from the ALB.
For production my service should be accessible by everyone, which it is, however for development or staging environments I'd like it only to be accessible to users who are connected to a VPN Endpoint.
At first I thought this would be a breeze seeing as this is covered in their documentation, https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-restrict.html, but there has to be something I'm not getting right. From what I've understood the VPN Endpoint will be related to one or more security groups upon creation, and here's what I must be confused about.. should I then be able to use said security group(s) as source for my inbound rules?
Tried that and didn't get it to work, I'm not sure if the security group actually resolves to the public IP address a user is assigned when connected through the client or if it's one out of the provided Client CIDR. If it's the latter then that would make more sense but how would one go about achieving what I've tried using AWS VPN Client?
Thanks a ton in advance
