So we basically have a bunch of different EC2 instances set up and are using terraform to create/destroy instances. Since we have a bunch of remote workers (some with non-static public IPs), I have been tasked with creating a VPN that users can connect to so we can whitelist one single IP address (VPN IP). What would the easiest/best way to do this be?
We’ve just implemented a design for criteria exactly like this. We went with OpenVPN access server for ease of use internally (comes with admin web ui) and this allows users who need ssh access to private subnet in separate VPV for our application to do as you say, connect from a single source public IP. There’s an AMI on the marketplace prebuilt and ready to go licenses per users (every 10 users I think is a new license tier, 2 user license is free).
Setup AWS Client VPN or OpenVPN with NAT enabled, this will put all your clients behind 1 IP.
Are you whistling this single IP in your security groups? If so, this isn’
Is the goal to connect to the EC2 instances?
If so, set up AWS Client VPN, EC2 in a private subnet, VPN in the same subnet, and lock it down to local subnet traffic over the needed ports.
Use EC2 Instance Connect to connect to the instances over the VPN.
If you only need to access EC2, enable split tunneling on the VPN.