Hello everyone,
I am working on a small internal application which is deployed to S3 (static site) and API (Lambda+API Gateway). Cloudfront sits in front in order to manage routing to the proper origin and the addition of TLS and Custom DNS.
This application should only be accessible via AWS Client VPN (which is configured with split tunneling). Since the Cloudfront IP is not static I was wondering how I can properly add the routes to the route table so that the traffic is properly routed over the VPN.
Any ideas? One idea was to get rid of Cloudfront and switch it with an ALB. However I would like to keep Cloudfront if it’s possible.
You’re already in the AWS ecosystem with Client VPN, so why not use Verified Access instead?
Hi, were you able to solve this? I am currently stuck in the same situation.
Interesting Introducing AWS Verified Access – General Availability | Networking & Content Delivery
How does it compare to zero trust solutions like goteleport and cloudflare’s options?
No idea. I haven’t deployed any zero-trust yet because s2s VPN by comparison is cheaper. And the places that can use CloudFlare don’t need the zero trust part so I don’t have an apples:apples comparison.
OP is using client VPN so I’m assuming he’s either paying full price, which is similar to Verified Access, or he has setup/teardown in his workflow for JIT provisioning, which can easily pivot to Verified Access.