AWS Client VPN

• AWS Client VPN is a managed client-based VPN service that enables secure access to AWS resources and resources in the on-premises network
• Client VPN allows accessing the resources from any location using an OpenVPN-based VPN client.
• Client VPN establishes a secure TLS connection from any location using the OpenVPN client.
• Client VPN automatically scales to the number of users connecting to the AWS resources and on-premises resources.
• Client VPN supports client authentication using Active Directory, federated authentication, and certificate-based authentication.
• Client VPN provides manageability with the ability to manage active client connections, with the ability to terminate active client connections and to view connection logs, which provide details on client connection attempts
• Client VPN supports IPv4, IPv6, and dual-stack (both IPv4 and IPv6) connectivity for modern networking requirements.
• Client VPN supports native integration with AWS Transit Gateway, enabling centralized remote access to multiple VPCs and on-premises networks without requiring an intermediate VPC.

Client VPN Components

• Client VPN endpoint
  • is the resource that is created and configured to enable and manage client VPN sessions.
  • is the resource where all client VPN sessions are terminated.
  • supports Quickstart setup (Jan 2026) with pre-defined default configurations requiring only three inputs: IPv4 CIDR, server certificate ARN, and subnet selection.
• Target network
  • is the network associated with a Client VPN endpoint.
  • is a subnet from a VPC that enables establishing VPN sessions.
  • Multiple subnets can be associated with the Client VPN endpoint, however, each subnet must belong to a different Availability Zone.
  • For IPv6 or dual-stack traffic, the associated subnets must have IPv6 or dual-stack CIDR ranges.
• Route
  • describes the available destination network routes.
  • Each route in the route table specifies the path for traffic to specific resources or networks.
• Authorization rules
  • restrict the users who can access a network.
  • helps configure the AD or IdP group that is allowed access. Only users belonging to this group can access the specified network.
• Client
  • end-user connecting to the Client VPN endpoint to establish a VPN session.
  • need to download an OpenVPN client and use the Client VPN configuration file to establish a VPN session.

Client VPN Authentication & Authorization

• Client VPN provides authentication and authorization capabilities.
• Authentication determines whether clients are allowed to connect to the Client VPN endpoint
• Client VPN offers the following types of client authentication:
  • Active Directory authentication (user-based)
  • Mutual authentication (certificate-based)
  • Single sign-on (SAML-based federated authentication) (user-based)
• Client VPN supports two types of authorization:
  • Security groups and
  • Network-based authorization (using authorization rules)
    • allows mapping of the Active Directory group or the SAML-based IdP group to the network they can have access to.

Client VPN Split Tunnel

• Client VPN endpoint, by default, routes all traffic over the VPN tunnel.
• Split-tunnel Client VPN endpoint helps when you do not want all user traffic to route through the Client VPN endpoint.
• Split tunnel ensures only traffic with a destination to the network matching a route from the Client VPN endpoint route table is routed over the Client VPN tunnel.
• Split-tunnel offers the following benefits:
  • Optimized routing of traffic from clients by having only the AWS destined traffic traverse the VPN tunnel.
  • Reduced volume of outgoing traffic from AWS, therefore reducing the data transfer cost.

Client VPN IPv6 Support

• Client VPN now supports native IPv6 connectivity alongside existing IPv4 capabilities (announced Aug 2025).
• Supports three endpoint types: IPv4-only, IPv6-only, or dual-stack (both IPv4 and IPv6).
• Two key configuration parameters:
  • Endpoint IP address type – defines the endpoint management IP type (outer VPN tunnel traffic between OpenVPN client and server over the public internet).
  • Traffic IP address type – defines the type of traffic that flows through the VPN tunnel (inner encrypted traffic), client CIDR ranges, subnet association, routes, and rules per endpoint.
• For IPv6 client CIDR, you do not need to specify a CIDR block — Amazon automatically assigns CIDR ranges for IPv6 clients.
• Auto-assignment enables no-SNATing for IPv6 tunnel traffic, providing enhanced visibility into the connected user’s IPv6 address.
• For IPv6 traffic, Client VPN does not perform Network Address Translation (NAT).
• Endpoint type (IPv4, IPv6, dual-stack) and traffic type cannot be modified after creation.
• Client-to-client communication is not supported for IPv6 clients.

Client VPN Transit Gateway Integration

• Client VPN now supports native integration with AWS Transit Gateway (announced Apr 2026).
• Native Transit Gateway attachment eliminates the need for an intermediate VPC, allowing centralized remote access to multiple VPCs and on-premises networks directly from the Client VPN endpoint.
• Previously, connecting Client VPN to multiple VPCs required provisioning and managing an intermediate VPC, adding operational complexity.
• A Client VPN attachment is automatically created when you associate a Client VPN endpoint with a transit gateway.
• Key benefits:
  • End-to-end source IP visibility – client source IPs are preserved, enabling authorization rules based on actual client IPs and tracing traffic back to specific users.
  • No intermediate VPC required – reduces operational complexity and eliminates additional resource management.
  • Transit Gateway flow logs – capture connection-level details tied to preserved source IPs for improved troubleshooting and compliance audits.
  • Simplified security and compliance – enables easier security monitoring and audit workflows.
• Available in all AWS Regions where AWS Client VPN is available with no additional charges beyond standard Client VPN and Transit Gateway pricing.

Client Route Enforcement

• Client Route Enforcement (CRE) is a security feature that monitors device networking routes, prevents VPN traffic leaks, and strengthens remote access security (announced Apr 2025).
• The feature continuously tracks users’ device routing tables to ensure outbound traffic flows through the VPN tunnel according to configured settings.
• If the feature detects any VPN routing policy modifications on the connected device, it automatically forces an update to the route table, reverting it back to the expected route configurations.
• Helps improve security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.
• Prevents end users from overriding or bypassing VPN-pushed routes on their local devices.
• Can be enabled during endpoint creation or modified on existing endpoints.

Client VPN Session Management

• Default maximum VPN session duration is 24 hours.
• Configurable maximum VPN session duration can be set to meet security and compliance requirements.
• Disconnect on Session Timeout (announced Jan 2025):
  • When enabled, users are prompted to reconnect when maximum session duration is reached.
  • When disabled, client VPN attempts to reconnect automatically (default behavior with cached credentials).
• Client Login Banner – enables a text banner on AWS-provided Client VPN desktop applications when a VPN session is established, useful for regulatory and compliance needs.
• Client Connect Handler – enables running custom logic (Lambda function) that authorizes new connections.
• Self-service Portal – enables a portal for clients to download their configuration and the AWS-provided VPN client.

Client VPN Limitations

• Client CIDR ranges cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint’s route table.
• Client CIDR ranges must have a block size between /22 and /12.
• Client CIDR range cannot be changed after Client VPN endpoint creation.
• Subnets associated with a Client VPN endpoint must be in the same VPC.
• Multiple subnets from the same AZ cannot be associated with a Client VPN endpoint.
• A Client VPN endpoint does not support subnet associations in a dedicated tenancy VPC.
• Client VPN is not Federal Information Processing Standards (FIPS) compliant.
• As Client VPN is a managed service and the IP address to which the DNS name resolves might change. Hence, it is not recommended to connect to the Client VPN endpoint by using IP addresses. Use DNS instead.
• IP forwarding is not supported when using the AWS Client VPN desktop application. IP forwarding is supported from other clients.
• Client VPN does not support multi-Region replication in AWS Managed Microsoft AD. The Client VPN endpoint must be in the same Region as the AWS Managed Microsoft AD resource.
• Cannot establish a VPN connection from a computer if there are multiple users logged into the operating system.
• Client-to-client communication is not supported for IPv6 clients.
• IPv6 and dual-stack endpoints require that user devices and ISPs support the corresponding IP configuration.
• Endpoint type (IPv4, IPv6, dual-stack) and traffic type cannot be modified after creation.
• Each user connection has a maximum baseline bandwidth of 50 Mbps.

Client VPN Quotas

• Authorization rules per Client VPN endpoint – 200 (increased from 50 in Dec 2024, then to 200 in Mar 2025). Adjustable.
• Routes per Client VPN target network association – 100 (increased from 10 in Dec 2024). Adjustable.
• Client VPN endpoints per Region – 5. Adjustable.
• Concurrent client connections per Client VPN endpoint – depends on number of subnet associations:
  • 1 subnet – 7,000
  • 2 subnets – 36,500
  • 3 subnets – 66,500
  • 4 subnets – 96,500
  • 5 subnets – 126,000
• Concurrent operations per Client VPN endpoint – 10. Not adjustable.
• Entries in a client certificate revocation list – 20,000. Not adjustable.
• For dual-stack endpoints, authorization rules and connection limits are shared between IPv4 and IPv6.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A company is developing an application on AWS. For analysis, the application transmits log files to an Amazon OpenSearch Service cluster. Each piece of data must be contained inside a VPC. A number of the company’s developers work remotely. Other developers are based at three distinct business locations. The developers must connect to OpenSearch Service directly from their local development computers in order to study and display logs. Which solution will satisfy these criteria?
   1. Configure and set up an AWS Client VPN endpoint. Associate the Client VPN endpoint with a subnet in the VPC. Configure a Client VPN self-service portal. Instruct the developers to connect by using the client for Client VPN.
   2. Create a transit gateway, and connect it to the VPC. Create an AWS Site-to-Site VPN. Create an attachment to the transit gateway. Instruct the developers to connect by using an OpenVPN client.
   3. Create a transit gateway, and connect it to the VPC. Order an AWS Direct Connect connection. Set up a public VIF on the Direct Connect connection. Associate the public VIF with the transit gateway. Instruct the developers to connect to the Direct Connect connection.
   4. Create and configure a bastion host in a public subnet of the VPC. Configure the bastion host security group to allow SSH access from the company CIDR ranges. Instruct the developers to connect by using SSH.
2. A company needs to provide secure remote access for 500 employees across 10 VPCs. The solution should minimize operational overhead and allow centralized management. Which approach is most appropriate?
   1. Create a Client VPN endpoint in each VPC and have users connect to the appropriate endpoint.
   2. Create a Client VPN endpoint with a native Transit Gateway attachment, connecting the Transit Gateway to all 10 VPCs.
   3. Create a Site-to-Site VPN to each employee’s home network.
   4. Deploy a bastion host in a shared services VPC and peer it with all other VPCs.
3. A security team requires that all remote user VPN traffic must flow through the VPN tunnel and that users cannot modify their local routing tables to bypass the VPN. Which Client VPN feature should be enabled?
   1. Split tunnel mode
   2. Authorization rules with deny policies
   3. Client Route Enforcement
   4. Client connect handler with Lambda validation
4. A company is migrating to an IPv6 network and needs its remote workers to securely access IPv6 resources in their VPC. Which Client VPN configuration supports this requirement?
   1. Create an IPv4-only Client VPN endpoint and use NAT64 for IPv6 resources.
   2. Client VPN does not support IPv6 traffic.
   3. Create a dual-stack or IPv6-only Client VPN endpoint with associated subnets that have IPv6 CIDR ranges.
   4. Use AWS Site-to-Site VPN instead, as Client VPN only supports IPv4.
5. A company wants to enforce re-authentication of VPN users when their session expires, rather than allowing automatic reconnection. Which feature should be configured?
   1. Set the maximum session timeout to 1 hour
   2. Enable client connect handler
   3. Enable disconnect on session timeout
   4. Configure MFA with Active Directory

References

• AWS Client VPN
• IPv6 considerations for AWS Client VPN
• Transit Gateway integration with Client VPN
• Client Route Enforcement
• Client VPN Session Timeout
• AWS Client VPN Quotas