Static IP for AWS Client VPN


When a user connects to AWS Client VPN, the public IP for the user is random. I would like to be able to set a static public IP for AWS Client VPN. Seems like this has been requested previously on the old AWS Forums:

I want to be able to whitelist this IP in our security groups.

asked 2 years ago1615 views
2 Answers


I'm not sure if I've entirely understood the question, so please clarify if I've misunderstood.

The actual public IP address of the user's device will be outside the control of AWS, as it'll be controlled by the user's ISP, so could be via DHCP, or some ISPs allow options for a static IP (sometimes at extra cost), so if it's back on the user device I think the user's (or company if it's company supplied) would need to talk to their ISPs.

If you're asking whether it's possible once terminated inside AWS to make all the users appear from a static public IP then I think the answer to that is yes. You could either do something with NAT gateway, or if you want URL filtering you could put in place Network Firewall or a 3rd party solution via marketplace or build it yourself.


answered 2 years ago
  • It would be the 2nd one. Make the user appear that they are coming from a static IP. I'll check out those links. Thank you.

  • If you're happy with the answer would you mind marking it as the accepted answer?

  • i tried the links, didn't work as expected.


Hi, I understand you have tried these steps already.

I have reviewed these steps and confirmed it can be a solution to your issue. Following these steps from this article should resolve the issue. Static IP for client VPN

Here is a clarified summary of the steps: The main components needed to establish a static IP for AWS Client VPN are VPC, NAT gateway, and VPN endpoint.

  1. Create a VPC with a public and private subnet.

    • During VPC creation make sure “VPC and more” is enabled and NAT gateways is NOT set to “None”, to ensure the successful creation of subnets and NAT gateway.
    • This step should automatically create NAT gateway(s), which assigns users a public ip when they are access the internet.
  2. In the VPC navigation bar create a Client VPN endpoint, then associate the endpoint to the private subnet. Configuring Endpoint

  3. Check that the route table in the private subnet has route to NAT gateway.

  • The route should look like " : Target Destination (NAT gateway)"
  1. Finally you can add the primary public ip address to the security group to allow traffic from the VPN. The primary public ip address can be found in the NAT gateway created in Step 1. If there is no public ip, you can make a new elastic ip from the VPC navigation bar and attach it to the NAT gateway. Elastic IPs
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions