1

I am trying to connect to one of my EC2 from my local machine using AWS Client VPN Endpoint. I have Landing Zone Setup.

Transit Gateway and AWS Client VPN Endpoint is created in Shared Account and Transit Gateway is shared with Application Account using AWS RAM.

VPC is also created in Shared Account, I am able to ping/connect with the instance launched in Shared Account, but I am not able to ping/connect to the server launched in Application Account.

I also tried to ping from EC2 machine in Shared Account to EC2 machine in Application Account, this also did not worked, ideally I was expecting this should connect.

I have tried to put most of the details and configurations which I did in the following images. It will be great if someone could help me to understand the root cause.

Note: I have not configured DNS Servers while creating AWS Client VPN Endpoint.

enter image description here

Shivkumar Mallesappa
  • 2,875
  • 7
  • 41
  • 68

1 Answers1

3

If you follow the routes in your picture, you want to connect from your machine to an IP address in the range 1.8.2.2/26.

This already fails at the start since the client VPN has no routes configured for that range. Only for 1.8.2.6/26. So your packet doesn't get passed the client VPN. Add a route at the client VPN for 1.8.2.2/26 to go to subnet SA.
That should get you at least one step further :)

LRutten
  • 1,634
  • 7
  • 17
  • Thank you for your prompt response. So should I share the subnet in Shared Account and attach it with Client VPN? I think this approach is not correct. – Shivkumar Mallesappa Sep 07 '21 at 13:42
  • No you can add a target inside the client VPN routes. Right now it sais 1.8.2.6/26 => SA subnet (see top right on the diagram). Add a target 1.8.2.2/26 => SA subnet. – LRutten Sep 07 '21 at 13:51
  • Traffic will flow from client VPN => shared subnet => transit gateway => PA VPC – LRutten Sep 07 '21 at 13:54
  • The destination CIDR and the endpoint's client CIDR do not match. My Client VPN CIDR is 1.8.0.0/22 and PA VPC 1.8.2.0 / 24. – Shivkumar Mallesappa Sep 07 '21 at 14:00
  • There should be no overlaps in your client VPN cidr range and your destinations. Try to assign a client VPN Cidr that does not overlap with any of the network ranges you try to connect to. Then retry the steps above. – LRutten Sep 07 '21 at 14:27
  • 10.86.0.0/22 - CIDR for VPN, 10.85.242.64/26 - CIDR for SA-Subnet, 10.85.238.0/24 - CIDR for PA-Subnet, – Shivkumar Mallesappa Sep 07 '21 at 14:30
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/236852/discussion-between-shivkumar-mallesappa-and-lrutten). – Shivkumar Mallesappa Sep 07 '21 at 14:33
  • Ok and if you add a client VPN route for 10.85.238.0/24 to the SA subnet, the client VPN should be able to send traffic there. From the SA subnet traffic will be forwaded to the transit gateway. – LRutten Sep 07 '21 at 14:33
  • 1
    I've got a similar topology working OK. So, although I don't know whether the original poster eventually worked out all the bugs, I'd like to point out that this topology is good in general. – Vincent Yin Oct 17 '21 at 19:12