Improving the current architecture using AWS Client VPN

Engineering Nov 22, 2022

When it comes to design our resource infrastructure and sharing access permission, handling the secure network traffic become the delicate part. In this blog I will show you how we can enhance/secure our infra design via implementing VPN.

Current system access management

Generally we manage all the restrictions and access control via IAM (Identity access management) policy.

Glitch with current access management

  • Anyone could enter in our network premises if the credentials got compromised
  • Public network are allowed to access our private network that makes us vulnerable to be exploit

What is VPN(virtual private network) ?

A virtual private network extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

How VPN could solve our problem statement ?

Using VPN we have advantage of getting a private securing connection as it adds one extra layer of security to our system to restrict the access of connection to be public.

Knowledge Required

  • AWS VPC : Virtual Private Cloud

Good to have

  • ENI : Elastic Network Interface
  • IG : Internet Gateway
  • NAT : Network address translation
  • Security Group
  • Route Table
  • Networking Fundamentals

AWS Client VPN

AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources or your on-premises network. With AWS Client VPN, you configure an endpoint to which your users can connect to establish a secure TLS VPN session. This enables clients to access resources in AWS or on-premises from any location using an OpenVPN-based VPN client

Features of client VPN

  • Secure connections
  • Managed service
  • High availability and elasticity
  • Authentication
  • Ease of use
  • Manageability

Components of Client VPN

The following are the key concepts for Client VPN:

Client VPN endpoint

The Client VPN endpoint is the resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated.

Target network

A target network is the network that you associate with a Client VPN endpoint. A subnet from a VPC is a target network. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone.


Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks.

Authorization rules

An authorization rule restricts the users who can access a network. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. By default, there are no authorization rules and you must configure authorization rules to enable users to access resources and networks.


The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session.

Client CIDR range

An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example,

Client VPN ports

AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443.

Client VPN network interfaces

When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.

Connection logging

You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyse how your Client VPN endpoint is being used, or debug connection issues.

How AWS Client VPN works

If we are talking about the working mechanism of aws client vpn, so there are two types of user that interact with the Client VPN endpoint: - administrators - clients


Administrator is responsible for setting up and configuring the service.

  • creating the Client VPN endpoint
  • associating the target network
  • configuring the authorization rules
  • setting up additional routes
After the Client VPN endpoint is set up and configured, the administrator downloads the Client VPN endpoint configuration file and distributes it to the clients who need access.


The client is the end user. This is the person who connects to the Client VPN endpoint to establish a VPN session.


It ensure that wether the client is allow to establish a VPN session or not.

Types of authentication System that we have is:

  • Certificate based
  • AD Authentication
  • Single-sign-on : SAML

For more details you can refer the Link.


Client VPN supports two types of authorization: security groups and network-based authorization.

Security Group

You can enable Client VPN users to access your applications in a VPC by adding a rule to your applications' security groups to allow traffic from the security group that was applied to the association.

Network-based authorization

Network-based authorization is implemented using authorization rules. For each network that you want to enable access, you must configure authorization rules that limit the users who have access. For a specified network, you configure the Active Directory group or the SAML-based IdP group that is allowed access. Only users who belong to the specified group can access the specified network. If you are not using Active Directory or SAML-based federated authentication, or you want to open access to all users, you can specify a rule that grants access to all clients.

Diagrammatic Representation of use case

Access to a VPC

Allowed internet access with VPC

Access to an on-premises network

Access to a peered VPC


Connection logging via Cloud-Watch

AWS Client VPN publishes the following metrics to Amazon CloudWatch for your Client VPN endpoints. Metrics are published to Amazon CloudWatch every five minutes.

    "connection-log-type": "connection-attempt",
    "connection-attempt-status": "successful",
    "connection-reset-status": "NA",
    "connection-attempt-failure-reason": "NA",
    "connection-id": "cvpn-connection-abc123abc123abc12",
    "client-vpn-endpoint-id": "cvpn-endpoint-aaa111bbb222ccc33",
    "transport-protocol": "udp",
    "connection-start-time": "2020-03-26 20:37:15",
    "connection-last-update-time": "2020-03-26 20:37:15",
    "client-ip": "",
    "common-name": "client1",
    "device-type": "mac",
    "device-ip": "",
    "port": "50096",
    "ingress-bytes": "0",
    "egress-bytes": "0",
    "ingress-packets": "0",
    "egress-packets": "0",
    "connection-end-time": "NA"


  • AWS Documentation


Anuj Kumar Singh

Software Engineer | Chronic problem solver | Architect

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.