How can I provide my Client VPN users with access to AWS resources?
3 minute read
My AWS Client VPN users want to establish a secure connection from their end devices to AWS resources. How can I do this?
Before configuring VPN access to specific resources, consider the following:
When a Client VPN endpoint is associated to a subnet, elastic network interfaces are created in the associated subnet. These network interfaces receive IP addresses from the subnet's CIDR.
When a Client VPN connection is established, a virtual tunnel adapter (VTAP) is created on the end device. The virtual adapter receives an IP address from the Client VPN endpoint's client IPv4 CIDR.
When you associate a subnet with your Client VPN endpoint, Client VPN network interfaces are created in that subnet. Traffic that is sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.
To give your Client VPN end users access to specific AWS resources:
Configure routing between the Client VPN endpoint's associated subnet and the target resource's network. If the target resource is in the same virtual private cloud (VPC) that's associated to the endpoint, then you don't need to add a route. In this case, the VPC's Local Route is used to forward traffic. If the target resource isn't in the same VPC that's associated to the endpoint, then add the respective route in the Client VPN endpoint's associated subnet route table.
Configure the target resource's security group to allow inbound and outbound traffic through the Client VPN endpoint's associated subnet. Or, use security groups applied on the endpoint by referencing the security group attached to the endpoint in the target resource's security group rule.
Configure the target resource's network access control list (network ACL) to allow inbound and outbound traffic through the Client VPN endpoint's associated subnets.
Allow end user access to the target resources in the Client VPN endpoint's authorization rule. For more information, see Authorization rules.
Verify that the Client VPN route table has a route for the target resource's network range. For more information, see Routes and Target networks.
Allow outbound access to the target resources in the Client VPN endpoint's associated security group.
Note: If you have more than one subnet associated with your Client VPN endpoint, you must allow access from each of the Client VPN subnet CIDRs to:
The target resource's security groups
The target resource's network ACLs
Create the routes, security group rules, and authorization rules required to establish connectivity, based on the resource type that your users are accessing. Based on your use case, follow these steps to: