1. Answers
  2. Using AWS CloudFront with EC2 Client VPN

How do I use AWS CloudFront with EC2 Client VPN?

In this guide, we will set up AWS CloudFront to deliver content and configure an EC2 Client VPN to provide secure access to resources within a VPC. We will create a CloudFront distribution, an EC2 Client VPN endpoint, and associate the VPN with a subnet in the VPC.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an S3 bucket to serve as the origin for CloudFront
const bucket = new aws.s3.Bucket("contentBucket");

// Create a CloudFront distribution
const distribution = new aws.cloudfront.Distribution("myDistribution", {
    enabled: true,
    origins: [{
        originId: bucket.arn,
        domainName: bucket.bucketRegionalDomainName,
        s3OriginConfig: {
            originAccessIdentity: "",
        },
    }],
    defaultCacheBehavior: {
        targetOriginId: bucket.arn,
        viewerProtocolPolicy: "redirect-to-https",
        allowedMethods: ["GET", "HEAD"],
        cachedMethods: ["GET", "HEAD"],
        forwardedValues: {
            queryString: false,
            cookies: {
                forward: "none",
            },
        },
        minTtl: 0,
        defaultTtl: 3600,
        maxTtl: 86400,
    },
    priceClass: "PriceClass_100",
    restrictions: {
        geoRestriction: {
            restrictionType: "none",
        },
    },
    viewerCertificate: {
        cloudfrontDefaultCertificate: true,
    },
});

// Create a VPC
const vpc = new aws.ec2.Vpc("myVpc", {
    cidrBlock: "10.0.0.0/16",
});

// Create a subnet
const subnet = new aws.ec2.Subnet("mySubnet", {
    vpcId: vpc.id,
    cidrBlock: "10.0.1.0/24",
    availabilityZone: "us-west-2a",
});

// Create a security group for the Client VPN
const securityGroup = new aws.ec2.SecurityGroup("mySecurityGroup", {
    vpcId: vpc.id,
    ingress: [{
        protocol: "tcp",
        fromPort: 443,
        toPort: 443,
        cidrBlocks: ["0.0.0.0/0"],
    }],
    egress: [{
        protocol: "-1",
        fromPort: 0,
        toPort: 0,
        cidrBlocks: ["0.0.0.0/0"],
    }],
});

// Create a Client VPN endpoint
const clientVpnEndpoint = new aws.ec2clientvpn.Endpoint("myClientVpnEndpoint", {
    vpcId: vpc.id,
    clientCidrBlock: "10.0.2.0/24",
    serverCertificateArn: "arn:aws:acm:us-west-2:123456789012:certificate/abcd1234-5678-90ab-cdef-1234567890ab",
    authenticationOptions: [{
        type: "certificate-authentication",
        rootCertificateChainArn: "arn:aws:acm:us-west-2:123456789012:certificate/abcd1234-5678-90ab-cdef-1234567890ab",
    }],
    connectionLogOptions: {
        enabled: true,
        cloudwatchLogGroup: "my-log-group",
        cloudwatchLogStream: "my-log-stream",
    },
    dnsServers: ["8.8.8.8"],
    transportProtocol: "udp",
    securityGroupIds: [securityGroup.id],
});

// Associate the Client VPN with the subnet
const vpnNetworkAssociation = new aws.ec2clientvpn.NetworkAssociation("myVpnNetworkAssociation", {
    clientVpnEndpointId: clientVpnEndpoint.id,
    subnetId: subnet.id,
});

// Export the CloudFront distribution domain name
export const cloudFrontUrl = distribution.domainName;

Key Points

  • S3 Bucket: Serves as the origin for the CloudFront distribution.
  • CloudFront Distribution: Distributes content from the S3 bucket with caching and HTTPS support.
  • VPC and Subnet: Provides a network environment for the Client VPN.
  • Security Group: Manages inbound and outbound traffic rules for the VPN.
  • Client VPN Endpoint: Establishes a secure VPN connection to the VPC.
  • VPN Network Association: Associates the VPN endpoint with the subnet.

Summary

We have set up an AWS CloudFront distribution to deliver content from an S3 bucket, and configured an EC2 Client VPN for secure access to resources within a VPC. This setup ensures secure and efficient content delivery and access.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up