AWS Client VPN

AWS Client VPN
AWS Client VPN, a managed client-based VPN service, allows secure access to AWS resources as well as resources in the on premises network.
Client VPN allows you to access the resources from any location by using an OpenVPN-based VPN client.
Client VPN establishes a secure TLS link from any location by using the OpenVPN client.
Client VPN automatically scales to connect to the AWS resources or on-premises resources.
Client VPN supports client authentication via Active Directory, Federation authentication, and Certificate-based authentication.
Client VPN offers manageability, including the ability to manage client connections and the ability to terminate them. You can also view connection logs which include details about client connection attempts.
Client VPN Components
Client VPN endpoint refers to the resource that is configured and created to enable and manage client VPN sessions.
This is where all client VPN sessions are terminated.
Target network is the network that is associated with a Client VPN Endpoint.
A subnet that is connected to a VPC and allows the establishment of VPN sessions.
Multiple subnets may be associated with the Client VPN Endpoint. However, each subnet must be in a different Availability zone.
Routedescribes the available destination network route options.
Each route in this table specifies the traffic route to specific resources or networks.
Authorization rules limit who can access a network.
Configures the AD or IdP group that will be granted access. Only members of this group have access to the network.
Clientend-user connects to the Client VPN Endpoint to establish a VPN connection.
Download an OpenVPN client to create a VPN session.
Client VPN allows for authentication and authorization.
Clients are only allowed to connect to the Client VPN Endpoint if they have been authenticated
Client VPN offers the following types of client authentication:Active Directory authentication (user-based)
Mutual authentication (certificate-based)
Single sign-on (SAML based federated authentication) (user based)
Client VPN supports two types of authorization:Security groups and
Network-based authorization (using authorization Rules) allows mapping of the Active Directory group and the SAML-based IdP groups to the network they have access to. Client VPN Split Tunnel
Client VPN endpoint routes all traffic over VPN tunnel by default.
Split-tunnel Client VPN Endpoint is useful when you don’t want all user traffic to go through the Client VPN Endpoint.
Split tunnel ensures that traffic to the network with a destination matching a route from Client VPN endpoint route tables is routed via the Client VPN tunnel.
Split-tunnel provides the following benefits: Optimized routing of traffic from clients, having only AWS destined traffic traverse VPN tunnel.
Client VPN Limitations
Client CIDR ranges can not overlap with the VPC’s local CIDR or any routes manually added into the Client VPN endpoint’s route table.
Client CIDR ranges should have a block size of between /22 to /12.
After Client VPN endpoint creation, Client CIDR range can’t be changed.
Subnets that are associated with Client VPN endpoints must be in the same VPC.
Multiple subnets from the AZ cannot be associated to a Client VPN endpoint.
A Client VPN endpoint cannot support subnet associations in a dedicated Tenancy VPC.
Only IPv4 traffic is supported by Client VPN
Client VPN is not compliant with Federal Information Processing Standards (FIPS).
Client VPN is managed service, so the IP address to the DNS name might change. It is not recommended that you connect to Client VPN endpoints using IP addresses. Use DNS instead.
IP forwarding can be done c

AWS Client VPN
Scroll to top