1

My VPC is in eu-west-2. I have two subnets for an RDS instance, split across two different availability zones for reasons of high availability: eu-west-2a and eu-west-2b. I also have a Redshift cluster in its own subnet in eu-west-2c.

With this configuration, I have successfully configured an AWS Client VPN endpoint so that I can access RDS and Redshift from my local machine when connected to a VPN client with the appropriate configuration.

While following the same principles of using subnets for specific services, I would like my EC2 instances to live in private subnets that are also only accessible over a VPN connection. However, one of the limitations of the Client VPN service is:

You cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint.

This implies that I would need to create a separate endpoint for connecting to my private EC2 subnet—which feels like complete overkill for my modest networking architecture!

Is there a workaround?

Blair Nangle
  • 1,221
  • 12
  • 18

2 Answers2

0

By default, a subnet can reach the other subnets.

This means that you won't need to do anything. This will work out of the box. If not, check the route tables and see if there is a route from your VPN subnet to your private subnet.

ThomasVdBerge
  • 7,483
  • 4
  • 44
  • 62
0

When you associate the first subnet with the Client VPN endpoint, the following happens:

  • The state of the Client VPN endpoint changes to available. Clients can now establish a VPN connection, but they cannot access any resources in the VPC until you add the authorization rules.

  • The local route of the VPC is automatically added to the Client VPN endpoint route table. (This local route allows you to communicate with every subnet within the VPC that the subnet is in.)

  • The VPC's default security group is automatically applied for the Client VPN endpoint.

See documentation for details.

labeveryday
  • 1
  • 1