By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why are there so many public IP addresses associated with one VPN client endpoint?

0

Hi,

We're cleaning up the public IP addresses and noticed that there're multiple private and public ip addresses associated with the same Client VPN Endpoint. For some public ip addresses, its associated ENI doesn't exit any more. Any idea why this is the case? How do we know which public ip address is still in use? How do we identify and clean up the un-used ones? Thanks.

Topics
Networking & Content Delivery
Tags
Amazon VPCAWS Client VPN
Language
English
blacktulip12
asked a month ago325 views
2 Answers
2

There is an useful tool for Public IP insights shows you all public IPv4 addresses.
Could you please try to use the tool, Amazon VPC IP Address Manager?

ここに画像の説明を入力してください

AWS
EXPERT
hyp
answered a month ago
  • blacktulip12
    a month ago

    I'm using this tool but still unable to confirm which public ip addresses associated with the Client VPN endpoint are not in use so that we can delete them.

0

This is a hypothesis, so please verify it. When you create an Elastic Network Interface (ENI) in AWS, the public IP address might be associated with an Elastic IP (EIP). If you delete the ENI, the EIP could still be linked to your VPN client endpoint. You should check if any public IP addresses associated with your VPN client endpoint match your Elastic IP. If they do, consider deleting the Elastic IP to avoid potential charges.

Sources:

profile picture
EXPERT
Osvaldo Marte
answered a month ago
  • blacktulip12
    a month ago

    Those public IP addresses are not Elastic IP addresses. I'm trying to understand when a Client VPN endpoint is created, how does it manage the public ip address? When will it create a new eni and the associated public ip address? I couldn't find it from the Client VPN Endpoint document (https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html).

  • Osvaldo Marte EXPERT
    a month ago
    • A1: The Client VPN endpoint itself does not have a public IP address. Instead, it relies on ENIs that are created for each client connection. If the subnet in which the ENI is created is a public subnet, then the ENI can be assigned a public IP address from the VPC's pool of public IP addresses.
    • A2: A new ENI is created for each new client connection to the Client VPN endpoint. This ENI is created in the subnet associated with the Client VPN endpoint's target network. If the subnet is a public subnet, then the ENI will be assigned a public IP address. This public IP address is used to route traffic between the client and the VPN endpoint over the internet. It's important to note that the creation of a new ENI and a public IP address is tied to client connections, not the creation of the VPN endpoint itself.
  • blacktulip12
    a month ago

    Thank you, Osvaldo. That seems to be the reason. However, our client VPN endpoint's target network association is to the private subnets. We do have public subnets corresponding to the private subnets. So I guess it still assigns a public IP address when it creates an ENI. If this is the case, is there a way to set the ENI's 'Delete on termination' to true? Basically a way to automatically delete the Public ip address when we disconnect from the Client VPN endpoint?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content