What is AWS Client VPN?

AWS Client VPN is a managed client-based VPN service. It enables you to securely access your AWS resources from anywhere in the world. All you need is an internet connection and your VPN credentials to start using it. Before we understand what ilet'sS Client VPN is, let's first define what is VPN.

What is VPN?

A virtual private network or VPN extends a private network across a public network. It enables you to send and receive data across shared or public networks as if your devices are directly connected to your private network. It provides you with an encrypted connection so you can access your private network securely from anywhere in the world.

Now know what is VPN?, let's come back to the AWS Service and try to understand its various components.

Various Components of AWS Client VPN

Following are the various components of the AWS Client VPN:

  • Client VPN endpoint: The Client VPN endpoint is the resource that you will provision i.e. create and configure to enable and manage client VPN sessions. It is the entry and exit point for all client VPN sessions.
  • Target network: A target network is a network you want to connect with once you are connected with a Client VPN endpoint. The target network is associated with a Client VPN endpoint during its configuration. For example: If you want to access the resources in a VPC, then a subnet in that VPC will act as a target network. Once a subnet is connected with the client VPN endpoint, you can create sessions using the endpoint.
  • Route: Like every other network configuration in AWS, the Client VPN endpoint also has a route table which can be used to define various routes. A route specifies the path to a resource or a network.
  • Authorization rules: As you are going to give access to your private network to anyone who can connect and create a session with the endpoint, it is necessary to have some authorization mechanism in place. You can define an authorization rule that restricts the users who can access a network. You can set up either an Active Directory or an identity provider to make sure only the user who has access to these particular groups can access your network.
  • Client: The user connecting to the Client VPN endpoint to establish a session is called the client. The end user needs to download and use software like Open VPN Client to establish a session.
  • Client CIDR range: When a session is established to the endpoint, each client is provided with a unique IP address. These addresses are assigned from the pool of allocated addresses. This pool is defined under the Client CIDR range.
  • Client VPN network interfaces: When a subnet is connected to a Client VPN endpoint by configuring the target network, AWS creates a network interface in that subnet. This acts as a link and sends traffic from the Client VPN endpoint to the VPC in which the subnet is created.

The above mentioned are some of the key components of the AWS Client VPN which will be required to configure and set up an endpoint. We will do that in the upcoming articles.

Various Features & Benefits of AWS Client VPN

Some of the important features and benefits of AWS CLient VPN are:

  • Secure connections: All connections established with Client VPN are secure TLS connections from any location using a VPN client.
  • No maintenance overhead: AWS Client VPN is an AWS-managed service, which means you don't have to worry about any operational overhead of deploying and managing a third-party remote access VPN solution.
  • High availability: It is highly scalable and an available solution. It automatically scales based on the number of users connecting to your AWS resources.
  • Authentication modes: Various authentication modes are supported by the service. It supports client authentication using Active Directory, identity provider-based authentication, and certificate-based authentication i.e. mutual authentication.
  • Access controls: Custom access controls are very important and AWS Client VPN enables you to implement custom security controls by defining network-based access rules. You can either use active directory-based auth or use security groups to define the access controls.
  • Audit controls: Connection login is an option in AWS Client VPN. It enables you to view connection logs, which provide all the details related to a client's connection attempts and active client connections, with the ability to terminate active client connections.

How AWS Client VPN works?

With AWS Client VPN, two types of user personas interact with the Client VPN endpoint: administrators and clients.

  • Administrator: An administrator is responsible for configuring the service. This means creating a Client VPN endpoint and associating a target network with it. Once the target network is configured, the route tables are set up and allow the traffic to flow in the right direction. Setting up the authorization and sharing the details of how to connect with the VPN is also the responsibility of the administrator.
  • Client: The Client is the end user of the service. they connect with the VPN using the credentials or the settings file shared with them by an administrator. Once a connection is established, an Ip is allocated to the client which will help them access the resources inside the VPC which is associated with the subnet provided as a target group in the VPN configuration.


AWS Client VPN will allow you to set up a secure connection to your private network and helps you in providing an access to your private resources hosted in your private network. Please keep in mind that this is a paid service and I strongly advise you to check the prices before using it. In upcoming articles in this series, we will look into various authentication mechanisms and how to set up AWS Client VPN for your AWS VPC.

Articles in this series