How do I provide my Client VPN users with access to AWS resources?

Resolution

Before you configure Client VPN access to specific resources, review the following information:

• When a Client VPN endpoint is associated to a subnet, elastic network interfaces are created in the associated subnet. These network interfaces receive IP addresses from the subnet's CIDR.
• When a Client VPN connection is established, a virtual tunnel adapter (VTAP) is created on the end device. The virtual adapter receives an IP address from the Client VPN endpoint's client IPv4 CIDR.
• When you associate a subnet with your Client VPN endpoint, Client VPN network interfaces are created in that subnet. Traffic that is sent to the virtual private cloud (VPC) from the Client VPN endpoint is sent through a Client VPN network interface. Then, source network address translation (SNAT) is applied. This means that the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.

To give your Client VPN end users access to specific AWS resources:

• Configure routing between the Client VPN endpoint's associated subnet and the target resource's network. If the target resource is in the same VPC that's associated to the endpoint, then you don't need to add a route. In this case, the VPC's Local Route is used to forward traffic. If the target resource isn't in the same VPC that's associated to the endpoint, then add the respective route in the Client VPN endpoint's associated subnet route table.
• Configure the target resource's security group to allow inbound and outbound traffic through the Client VPN endpoint's associated subnet. Or, to use the security groups applied on the endpoint, reference the security group attached to the endpoint in the target resource's security group rule.
• Configure the target resource's network access control list (network ACL) to allow inbound and outbound traffic through the Client VPN endpoint's associated subnets.
• Allow end user access to the target resources in the Client VPN endpoint's authorization rule. For more information, see AWS Client VPN authorization rules.
• Verify that the Client VPN route table has a route for the target resource's network range. For more information, see AWS Client VPN routes and AWS Client VPN target networks.
• Allow outbound access to the target resources in the Client VPN endpoint's associated security group.

Note: When you have more than one subnet associated with your Client VPN endpoint, you must allow access from each of the Client VPN subnet CIDRs to:

• The target resource's security groups
• The target resource's network ACLs

Create the routes, security group rules, and authorization rules required to establish connectivity, based on the resource type that your users access. For information about how to configure access, see Scenarios and examples for Client VPN.

Note: Based on your use case, you can establish a Client VPN connection to VPCs and continue to route internet traffic through the local gateway. To do this, set up a split-tunnel Client VPN endpoint.

Related information

How AWS Client VPN works