Join Log in
Score:0
avatar Server

Can I add "firewall rules" to an AWS VPN connection?

cn flag
flypenguin

i need to connect a couple of customers to an AWS VPC via VPN. requirements:

  • no customer may send data (or best: even "see") another customer
  • they should only be able to "see" exactly one internal host, preferably only a certain port range.

my question is - is this possible with an AWS VPN gateway & VPN connection? and if yes, how?

cause i read a ton of stuff now and google quite a lot, and i did not find any way to assign security groups (or something alike) to an AWS VPN connection. in my book that means "any site-2-site connection allows all traffic", which is the opposite of what i need.

can anybody help me here?

thanks in advance for any information! :)

┌───────────────────┬─────────────────┐                    ┌──────────┐
│subnet 1           │         subnet 2│                    │          │
│ ┌──────────┐      │                 │   ┌────────────────┤customer 1│
│ │          │      │must be possible │   │                │          │
│ │server 1  │◄─────┼────┐            │   ▼                └──────────┘
│ │          │      │    │   ip: ┌────┴─────┐ip:                ▲
│ └──────────┘      │    │   int1│    .     │public             │
│                   │    ├───────┤vpn gw    │                   │ must also
│ ┌──────────┐      │    │       │    .     │                 XXX not be
│ │          │      │    │       └────┬─────┘                   │ possible
│ │server 2  │◄─XXX─┤XXX─┘            │   ▲                     │
│ │          │      │must not be      │   │                ┌────┴─────┐
│ └──────────┘      │possible         │   │                │          │
│                   │                 │   └────────────────┤customer 2│
│                   │                 │                    │          │
└───────────────────┴─────────────────┘                    └──────────┘
23
0 + 0
Score:0
Tim avatar Server
gp flag
Tim

AWS Client VPN is more likely to be suitable than a standard VPN, a standard VPN isn't really made to connect multiple customers. Client VPN works well, though I never tried routing between multiple clients. Be careful with authentication.

If you have to use site to site VPNs, and you have one server per customer I would approach this differently. I'd have a separate subnet / VPN / account per customer and keep things completely separate, so separate VPNs. Share infrastructure can be done with shared VPCs, transit gateway, etc.

0 + 0
cn flag
flypenguin
unfortunately the customers all "do" site-2-site VPNs, and so far i think client VPN is structurally different from that (not "just" a different impelementation of top of the very same protocol, so the client does not notice a difference ...). please correct me if I'm wrong, i'm no VPN expert (to maybe state the obvious ) ...
0
Reply
Tim avatar
gp flag
Tim
Read the second paragraph of my answer, which I've tweaked slightly to make it easier to understand.
0
Reply
cn flag
flypenguin
hi @tim, sure can do, it's just also a cost issue :) . also AWS limits. basically it's the way we're doing it right now, still feels overkill.
0
Reply
Tim avatar
gp flag
Tim
I don't think you're using AWS VPNs how they're design to be used. One per customer is what I'd do. You might be better off creating an EC2 instance and installing software and doing VPNs that way. In your place I would be rethinking my architecture.
0
Reply
cn flag
flypenguin
well if you could guide me to some sources about how it is actually supposed to be used, we both could stop thinking :D
0
Reply
Tim avatar
gp flag
Tim
My answer provides my opinion.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.