Client VPN endpoints

Hi James, I suspect that you are running into one of the qualifying rules when associating your subnets. See below. If this all looks correct, can you provide some information on the subnets in your VPC and what CIDR is associated with your Client VPN implementation?

• The subnet must have a CIDR block with at least a /27 bitmask, for example 10.0.0.0/27. The subnet must also have at least 20 available IP addresses at all times.
• The subnet's CIDR block cannot overlap with the client CIDR range of the Client VPN endpoint.
• If you associate more than one subnet with a Client VPN endpoint, each subnet must be in a different Availability Zone. We recommend that you associate at least two subnets to provide Availability Zone redundancy.
• If you specified a VPC when you created the Client VPN endpoint, the subnet must be in the same VPC. If you haven't yet associated a VPC with the Client VPN endpoint, you can choose any subnet in any VPC.

All further subnet associations must be from the same VPC. To associate a subnet from a different VPC, you must first modify the Client VPN endpoint and change the VPC that's associated with it.