Help Connecting AWS Client VPN and EC2 Server

I’m slowly writing a few security group policies to lock down an ec2 server.

The goal is to only ping/ssh into the servers from the private subnet.

I set up a Client AWS VPN - cvpn-endpoint-0ff927543311b78a7 - with a cidr of 20.0.0.0/22.

When I write an inbound security rule ‘only’ allowing ssh/ec2 over that cidr range… nothing. It isn’t allowing me to connect into EC2 over that vpn client CIDR range.

However when I open it up to 0.0.0.0/0 - perfection. I can ssh into the server without issues.

Why is it that this security rule fails? What am I missing?

Is the VPN on the same VPC/subnet?

You can also consider SSM Session Manager to SSH into instances with no need to configure anything network related.

You can try confirming this with traceroute. If the connection has to leave your subnet and is using NAT, your security group will have to be open to that NAT IP.

Place your vpns into their own dedicated subnet, it will allow you to tighten your nacl/security groups.

So traceroute showed just one hop?

Why are you doing this with ACL and not security groups?

Maybe try dumping all network traffic with tcpdump when it’s working and seeing if something else is blocked that prevents you from connecting.

I’m using both security groups and acl’s. Another question is - why not leverage both if they’re available to you?

One other bit of annoyance I wanted to report. In the image I shared, I had both security groups as /24’s. Since I’m running 2 ACLs that’s needed to get this to work.

• making the private acl’s inbound connectivity x.x.128.x/25 actually kills connectivity to that resource.
• making the private acl’s inbound connectivity x.x.0.x/25 actually kills connectivity to that resource.

Apologize. But this has entered the realm of pure facination at this point.