Hi @MarcoS It is not blocked by the Security Group because of the very nature of VPN. The vMX is a software that acts as the encryption termination point for your VPN tunnel, inside the EC2 instance; this means the ENI of the EC2 instance only sees encrypted traffic (in this case, Auto VPN traffic, which uses UDP encapsulation, choosing UDP ports in high ranges, 32768-61000 last I checked). So, even when the security group has no inbound rules, effectively blocking all incoming traffic, it will not block the traffic, even if it is encrypted, because it is within a VPN tunnel that operates on the lower OSI level than the security group? Can you share what test led you to this conclusion? Sure, my setup consists of 2 AWS accounts, A and B, where account A has a vMX ec2 instance with access to the on-premise resources. A and B accounts can reach themselves via configured Transit Gateway, the goal of this infrastructure is to have access from AWS resources located in account B to the on-premise resources behind the vMX instance. So when I've added an inbound rule for the security group for the vMX instance that allows only ICMP traffic from my AWS account B subnet, I have only ICMP packets allowed to my on-premise subnet from the AWS I say eventually because the tunnel may stay up for some time, but soon will drop Yes, you are correct, after some time all traffic wasn't able to reach on-premise resources.
... View more