How do I associate a target network with a Client VPN endpoint?

Last updated: 2020-03-20

I need to enable my clients to establish a VPN session with an AWS Client VPN endpoint so that they can access network resources. How do I associate a target network with a Client VPN endpoint?

Short Description

A target network is a subnet in a VPC. When you associate a subnet with a Client VPN endpoint, clients can establish a VPN session. You can associate multiple subnets with a Client VPN endpoint. Note that all subnets must be from the same VPC.

Before associating a target network to a Client VPN endpoint, consider the following:

  • The clients will be able to establish a VPN connection to the Client VPN endpoint only after a target network is associated with the Client VPN endpoint.
  • Associating a single target network allows you to establish a VPN session with the Client VPN endpoint. However, it's a best practice to associate at least two target networks from two different Availability Zones for redundancy.
  • The subnet that you associate as the target must have a CIDR block with at least a /27 bitmask (for example, 192.168.0.0/27). Also, there must be at least eight available IP addresses in the subnet.
  • When you associate a subnet with a Client VPN endpoint, the local route of the VPC in which the associated subnet is provisioned is automatically added to the Client VPN endpoint's route table.

Resolution

Associate a target network with a Client VPN endpoint 

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Client VPN Endpoints.
  3. Select the Client VPN endpoint to associate with the target network.
  4. Choose Associations, and then choose Associate.
  5. For VPC, choose the VPC in which the subnet is provisioned.
  6. For Subnet to associate, choose the subnet to associate with the Client VPN endpoint.
  7. Choose Associate.

Apply a security group to a target network 

When you associate the first target network with a Client VPN endpoint, the default security group of the VPC is applied in the associated subnet. After you associate the first target network, you can change the security groups that are applied to the Client VPN endpoint. The security group rules that are required depend on the type of VPN access you want to configure.

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Client VPN Endpoints.
  3. Select the Client VPN endpoint to which you plan to apply the security groups.
  4. Choose Security Groups, select the current security group, and then choose Apply Security Groups.
  5. Select the new security groups in the list, and then choose Apply Security Groups.

(Optional) Disassociate a target network from a Client VPN endpoint

After ensuring that there are no clients connected to the Client VPN endpoint, you can disassociate unwanted target networks. You need at least one target network for the clients to establish a connection to the Client VPN endpoint. When you disassociate all target networks, the Client VPN endpoint removes the route that was automatically created when the target networks were associated.

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Client VPN Endpoints.
  3. Select the Client VPN endpoint with which the target network is associated.
  4. Choose Associations.
  5. Select the target network to disassociate.
  6. Choose Disassociate, and then choose Yes, Disassociate.

Did this article help you?

Anything we could improve?


Need more help?