Think of the Client CIDR Block as the Pool of IPs that are handed out to every client that connects to the CVPN. ClientVPN actually does a Source NAT when you connect to the destination.
For example, if you expect to support 8,000 VPN connections to your Client VPN endpoint, specify a minimum client CIDR range size of /18 (16,384 IP addresses), and associate at least 2 subnets with the Client VPN endpoint.
If you’re unsure what the number of expected VPN connections is for your Client VPN endpoint, we recommend that you specify a size /16 CIDR block or larger.
On the other hand note that you can associate the client VPN endpoint to multiple subnets. The requirement is that each of the subnets needs to belong to the same VPC but different Availability Zones
@Tushar_J Thanks for the response. So given these parameters:
Private Subnet: 10.100.1.0/24
Client CIDR Block: 10.0.0.0/22
Client Network Association: 10.100.0.0/27
Test VPN Address: 10.0.0.6
Test Private Network: 10.100.2.0/24
I'm trying to ping an EC2 instance on my Test Private Network from my Test VPN Address. Here's where I still don't understand:
Test Private Network ACL Allow: [Client CIDR Block] - will not allow access
Test Private Network ACL Allow: [Client Network Association CIDR Block] - will allow access
I'm guessing there is some type of Private IP NAT going on at the Client Network Association?
But I'm confused as to why the NACL works for my Client Network Association CIDR Block and not my Client CIDR block.
Enterprise VPN Client needed to connect to AWS Client VPN Endpointasked 4 days ago
Unable to access internet from my laptop when I connect to a VPC using client VPNAccepted Answerasked a month ago
Client VPN connection issues - TLS Handshake issueasked 4 years ago
AWS client vpn selfserviceasked 7 months ago
What is the relationship between the Client VPN Network Association and Client CIDR Block?Accepted Answerasked 11 days ago
CIsco AnyConnect and AWS Client VPNAccepted AnswerMODERATORasked 4 years ago
Using client vpn with Okta, session re-authenticates multiple times throughout the dayasked 6 months ago
can I prevent Client VPN from setting the hostname on the client machine?Accepted Answerasked a year ago
AWS VPN Client with fixed EIP for interfacesasked 3 months ago
Conflict between AWS site-to-site VPN (to a VPC) and non-AWS client VPNasked 3 years ago