How can I provide my Client VPN users with access to AWS resources?
Last updated: 2020-04-21
My AWS Client VPN users want to establish a secure connection from their end devices to AWS resources. How can I do this?
Before configuring VPN access to specific resources, consider the following:
- When a Client VPN endpoint is associated to a subnet, elastic network interfaces are created in the associated subnet. These network interfaces receive IP addresses from the subnet's CIDR.
- When a Client VPN connection is established, a virtual tunnel adapter (VTAP) is created on the end device. The virtual adapter receives an IP address from the Client VPN endpoint's client IPv4 CIDR.
- When traffic from the end user device reaches the Client VPN endpoint, the source IP address of the packets is source NATed (SNAT) to the Client VPN endpoint network interface's IP address. As a result, the target resources have visibility into all the traffic that's sourced with the Client VPN endpoint network interface's IP address.
To give your Client VPN end users access to specific AWS resources:
- Configure routing between the Client VPN endpoint's associated subnet and the target resource's network. If the target resource is in the same virtual private cloud (VPC) that's associated to the endpoint, you don't need to add a route. In this case, the VPC's Local Route is used to forward traffic. If the target resource isn't in the same VPC that's associated to the endpoint, then add the respective route in the Client VPN endpoint's associated subnet route table.
- Configure the target resource's security group to allow inbound and outbound traffic through the Client VPN endpoint's associated subnet. Or, use security groups applied on the endpoint by referencing the security group attached to the endpoint in the target resource's security group rule.
- Configure the target resource's network access control list (network ACL) to allow inbound and outbound traffic through the Client VPN endpoint's associated subnets.
- Allow end-user access to the target resources in the Client VPN endpoint's authorization rule. For more information, see Authorization rules.
- Verify that the Client VPN route table has a route for the target resource's network range. For more information, see Routes and Target networks.
- Allow outbound access to the target resources in the Client VPN endpoint's associated security group.
Note: If you have more than one subnet associated with your Client VPN endpoint, be sure to allow traffic between all the security groups and network ACLs using the complete IP range of the subnets.
Create the routes, security group rules, and authorization rules required to establish connectivity, based on the resource type that your users are accessing. Based on your use case, follow these steps to:
- Configure access to a VPC
- Configure access to the internet
Note: Depending on your use case, you can opt to establish a Client VPN connection to VPCs while continuing to route internet traffic through the local gateway. To do this, set up a split-tunnel Client VPN endpoint.
- Configure access to a peered VPC
- Configure access to an on-premises network