AWS Client VPN Security Group per groupID

Question

I created a client VPN endpoint which uses Active directory as an authentication method.

This client VPN is supposed to allow access to private resources on our AWS VPC.

Now I understand that the "Target network associations" have security groups to control access to the target network which works together with the "Authorization Rules".

One thing I cannot seem to achieve is to Authorize specific ports (or maybe assign specific security groups) on a "Group ID" level.

The reason behind this is:

1. I want business users to be able to connect to the vpn and access apps over port 80.
2. I want developers to be able to connect to the vpn and access app over port 80 and access SSH on port 22.

Is there a way to achieve this?

I understand I can easily create 2 vpn endpoints, 1 for users and another for developers as a fallback but I ideally I want to achieve this with only a single VPN endpoint.

Answer 1

AWS Client VPN Authorization rules are limited to IP ranges and do not include specific ports. You can allow a group to access a subnet but not certain ports within that subnet.

To achieve this scalable on the same endpoint, you must use a third-party solution like SAML User VPN.

Full disclosure: I am an architect at Aviatrix.