AWS Client VPN

AWS Client VPN is a fully-managed virtual private network (VPN) service provided by Amazon Web Services (AWS) that allows users to securely access AWS resources and applications from anywhere in the world. With AWS Client VPN, businesses can establish secure and reliable connections between remote workers, customers, and partners, enabling them to access resources and applications that are hosted in AWS VPCs (Virtual Private Clouds). In this blog post, we will explore the features, components, working of AWS Client VPN and other important points.

Overview

• Managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network

Features of Client VPN

• Secure connections
• Managed service
• High availability elasticity
• Authentication
• Ease of use
• Manageability
• Deep integration

Components of Client VPN

• Client VPN endpoint — Resource that you create and configure to enable and manage client sessions.
• Target network — Subnet or network that you associate with a Client VPN endpoint
• Route — Each Client VPN endpoint has a route table that describes the available destination network routes
• Authorization rules — An authorization rule restricts the users who can access a network. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. By default, there are no authorization rules and you must configure authorization rules to enable users to access resources and networks
• Client — The end user connecting to the Client VPN endpoint to establish a VPN session
• Client CIDR range— An IP address range from which to assign client IP addresses
• Client VPN ports — AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443
• Client VPN network interfaces — When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. Traffic that’s sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.
• Connection logging — You can enable connection logging for your Client VPN endpoint to log connection events
• Self-service portal — Client VPN provides a self-service portal as a web page to end users to download the latest version of the AWS VPN Desktop Client and the latest version of the Client VPN endpoint configuration file, which contains the settings required to connect to their endpoint

How AWS Client VPN works

• There are two types of user personas that interact with the Client VPN endpoint
  1. Administrators
  2. Clients
• Administrator — Responsible for creating the Client VPN endpoint, associating the target network, and configuring the authorization rules, and setting up additional routes (if required). After the Client VPN endpoint is set up and configured, the administrator downloads the Client VPN endpoint configuration file and distributes it to the clients who need access
• Client — The end user who connects to the Client VPN endpoint to establish a VPN session. The client establishes the VPN session from their local computer or mobile device using an OpenVPN-based VPN client application. After they have established the VPN session, they can securely access the resources in the VPC in which the associated subnet is located
• AWS Client VPN Architecture

• Client Authentication — Determine whether clients are allowed to connect to the Client VPN endpoint. Client VPN offers the following types of client authentication:
  1. Active Directory authentication (user-based)
  2. Mutual authentication (certificate-based)
  3. Single sign-on (SAML-based federated authentication) (user-based)
• Client authorization — Supports two types of client authorization:
  1. Security groups
  2. Network-based
• Connection authorization — You can configure a client connect handler for your Client VPN endpoint. The handler enables you to run custom logic that authorizes a new connection, based on device, user, and connection attributes

How to have an internet access if you are connected to AWS Client VPN

• Split-tunnel on AWS Client VPN endpoints — By default, when you have a Client VPN endpoint, all traffic from clients is routed over the Client VPN tunnel. When you enable split-tunnel on the Client VPN endpoint, we push the routes on the Client VPN endpoint route table to the device that is connected to the Client VPN endpoint. This ensures that only traffic with a destination to the network matching a route from the Client VPN endpoint route table is routed over the Client VPN tunnel
• Routing Consideration for Split-tunnel