Restricting CloudFront access to Client VPN

You are using CloudFront to deliver your static website content to the public and you have an identical setup in your non-production environment (e.g. dev, stg) to mirror production. You are also using a split-tunnel Client VPN to provide secure access to your internal services. Now, you want to restrict the non-production CloudFront access to internal users only (such as developers and engineers) to your Client VPN without having to redesign the static website architecture but unsure of how to do it.

In this blog post, we will discuss a solution that will address this issue — by using a forward proxy.

Architecture Diagram

Client VPN

This is a split-tunnel Client VPN that is associated with multiple private subnets. The ENIs (elastic network interfaces) used by the VPN are automatically created and managed by AWS in the associated subnets. These ENIs must be able to access the proxy application load balancer, where requests will be forwarded to the proxy instance, then to CloudFront. Thus, the CIDR ranges of the proxy application load balancer must also be added into the Client VPN endpoint route table.

If you are connected to the Client VPN and are facing some connectivity issues accessing the proxy, check the following configuration: