Thank You @MarcoS for your support ... View more

Hi @MarcoS    It is not blocked by the Security Group because of the very nature of VPN. The vMX is a software that acts as the encryption termination point for your VPN tunnel, inside the EC2 instance; this means the ENI of the EC2 instance only sees encrypted traffic (in this case, Auto VPN traffic, which uses UDP encapsulation, choosing UDP ports in high ranges, 32768-61000 last I checked).   So, even when the security group has no inbound rules, effectively blocking all incoming traffic, it will not block the traffic, even if it is encrypted, because it is within a VPN tunnel that operates on the lower OSI level than the security group?   Can you share what test led you to this conclusion?   Sure, my setup consists of 2 AWS accounts, A and B, where account  A has a vMX ec2 instance with access to the on-premise resources.   A and B accounts can reach themselves via configured Transit Gateway, the goal of this infrastructure is to have access from AWS resources located in account B  to the on-premise resources behind the vMX instance.   So when I've added an inbound rule for the security group for the vMX instance that allows only ICMP traffic from my AWS account B subnet, I have only ICMP packets allowed to my on-premise subnet from the AWS    I say eventually because the tunnel may stay up for some time, but soon will drop   Yes, you are correct, after some time all traffic wasn't able to reach on-premise resources.       ... View more

Hello @MarcoS    Thank You for the support   I tried to do what you said, and yes traffic from the another EC2 instance was blocked   Could you please explain why traffic that goes through the VPN tunnel from on-premises resources is not blocked by the vMX instance's security group, while traffic going from AWS to the on-premises resources is blocked? ... View more

Yes, I had the same thought, but unfortunately, inbound traffic is being ignored for some reason.   Below is a screenshot of my Security Group's inbound rules; as you can see, it's empty. However, for outbound traffic, I have a rule that allows all traffic.   For example, if I try to execute a ping from my 10.56.33.0/24 subnet to an AWS resource located in the same subnet as the vMX instance, I can reach it, and it responds.   However, the responses can only reach my host if the outbound rule from the screenshot is applied.     ... View more

Hello @bonzovt    Can you please help me with a similar issue?   I also have a tunnel between AWS and my on-premise resources via Meraki vMX, but additionally, I would like to apply some firewall rules in my AWS account, so I added them to a security group that is attached to the ec2 instance, unfortunately, it didn't work for me, traffic still unrestricted, so it looks like that security group not work for inbound traffic, only for outbound   So i would like to understand in what way traffic achieves AWS resources from on-premises ? ... View more

Hello @Chad3_23    Can you please help me with a similar issue ?   I also have a tunnel between AWS and my on-premise resources via Meraki vMX, but additionally, I would like to apply some firewall rules in my AWS account, so I added them to a security group that is attached to the ec2 instance, unfortunately, it didn't work for me, traffic still unrestricted, so it looks like that security group not work for inbound traffic ... View more

Unfortunately No ... View more