I created a client VPN endpoint which uses Active directory as an authentication method.
This client VPN is supposed to allow access to private resources on our AWS VPC.
Now I understand that the "Target network associations" have security groups to control access to the target network which works together with the "Authorization Rules".
One thing I cannot seem to achieve is to Authorize specific ports (or maybe assign specific security groups) on a "Group ID" level.
The reason behind this is:
- I want business users to be able to connect to the vpn and access apps over port 80.
- I want developers to be able to connect to the vpn and access app over port 80 and access SSH on port 22.
Is there a way to achieve this?
I understand I can easily create 2 vpn endpoints, 1 for users and another for developers as a fallback but I ideally I want to achieve this with only a single VPN endpoint.
AWS Client VPN Authorization rules are limited to IP ranges and do not include specific ports. You can allow a group to access a subnet but not certain ports within that subnet.
To achieve this scalable on the same endpoint, you must use a third-party solution like SAML User VPN.
Full disclosure: I am an architect at Aviatrix.