I tried to follow this instruction How to set up client VPN in AWS using Terraform
To test it I changed ‘ingress’ rule to allow traffic only on 470 port, but I can still can connect to VPN endpoint.
I did not found relevant official AWS documentation or blog post, which clarifies how ‘aws_security_group’ rules should be configured.
How to write ‘ingress’ rule for aws_security_group which is assigned to aws_ec2_client_vpn_endpoint, so only specified traffic will be allowed?
Also I asked this on SO: terraform - How to restrict ingress traffic only to 443 UDP via `aws_security_group` to VPN Client endpoint? - Stack Overflow
resource "aws_security_group" "client_vpn_access" {
description = "Allow inbound traffic from port 443, to the VPN"
name_prefix = "${var.project_name}_vpn"
vpc_id = var.vpc_id
ingress = [] # Even this allows me to connect to Client VPN endpoint
egress {
from_port = 0
protocol = "-1"
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_ec2_client_vpn_endpoint" "client_vpn_endpoint" {
# name = var.project_name
description = "Client VPN endpoint"
vpc_id = var.vpc_id
server_certificate_arn = aws_acm_certificate.vpn_server_cert.arn
client_cidr_block = var.client_cidr_block
split_tunnel = var.split_tunnel
security_group_ids = [aws_security_group.client_vpn_access.id]
session_timeout_hours = var.session_timeout_hours
authentication_options {
type = "certificate-authentication"
root_certificate_chain_arn = aws_acm_certificate.vpn_client_root_cert.arn
}
}