Home Solution Forum Ticket Tips
欢迎
登陆  注册
  1. Cloud Z Support Portal
  2. 解决方案首页
  3. Managed Service
  4. SK Enterprise Support for AWS
Open navigation

[VPN] Can Client VPN Control Access by IP Address?

Print
Z CARE 修改于: 星期五, 六月 13, 2025 在 10:17 AM

Question 

To restrict access to Client VPN, IP addresses were registered in the Security Group. However, access is still possible from IP addresses not registered or allowed.

Is it not possible to control access by IP address within Client VPN itself?

Answer 

AWS Client VPN allows clients to connect to the Client VPN endpoint using the following types of client authentication: 

  • Active Directory authentication (user-based)

  • Mutual authentication (certificate-based)
  • Single sign-on (SAML-based integration) (user-based)

If authentication succeeds, the client connects to the Client VPN endpoint and establishes a VPN session. If authentication fails, the connection is denied and the client cannot establish a VPN session. [1] 

You can use one of the above methods or combine user-based methods with mutual authentication as follows: 

  • Mutual authentication and federated authentication 

  • Mutual authentication and Active Directory authentication 

Security Groups in Client VPN are used when configuring the Client VPN endpoint to restrict access to specific resources in the VPC.

By adding or removing security group rules that reference the security groups applied to target network connections (Client VPN security groups), you can allow or deny access to specific resources in the VPC. [2]

Therefore, registering public IPs in Security Groups cannot be used to allow or restrict clients connecting to the Client VPN endpoint. 

To allow or restrict access by public IP to the Client VPN endpoint, you can configure a "client connection handler" for the Client VPN endpoint. This handler lets you run custom logic to authenticate new connections based on device, user, and connection attributes. [3] 

Currently, the only supported client connection handler type is a "Lambda" function. 

-------------------------------------------------------------------------------------

[1] Client Authentication
https://docs.aws.amazon.com/ko_kr/vpn/latest/clientvpn-admin/client-authentication.html

[2] Restricting Access Using Security Groups
https://docs.aws.amazon.com/ko_kr/vpn/latest/clientvpn-admin/scenario-restrict.html#scenario-restrict-security-groups

[3] Connection Authorization
https://docs.aws.amazon.com/ko_kr/vpn/latest/clientvpn-admin/connection-authorization.html

此回答是否有所帮助?

Send feedback
抱歉没能帮到您。欢迎您给出反馈以帮助我们改善本文档。