ClientVpnEndpointOptions

class aws_cdk.aws_ec2.ClientVpnEndpointOptions(*, authorize_all_users_to_vpc_cidr=None, cidr, client_certificate_arn=None, client_connection_handler=None, description=None, dns_servers=None, logging=None, log_group=None, log_stream=None, port=None, security_groups=None, self_service_portal=None, server_certificate_arn, split_tunnel=None, transport_protocol=None, user_based_authentication=None, vpc_subnets=None)

Bases: object

Options for a client VPN endpoint.

Parameters
  • authorize_all_users_to_vpc_cidr (Optional[bool]) – Whether to authorize all users to the VPC CIDR. This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead. Default: true

  • cidr (str) – The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. Changing the address range will replace the Client VPN endpoint. The CIDR block should be /22 or greater.

  • client_certificate_arn (Optional[str]) – The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication

  • client_connection_handler (Optional[IClientVpnConnectionHandler]) – The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the AWSClientVPN- prefix Default: - no connection handler

  • description (Optional[str]) – A brief description of the Client VPN endpoint. Default: - no description

  • dns_servers (Optional[Sequence[str]]) – Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device

  • logging (Optional[bool]) – Whether to enable connections logging. Default: true

  • log_group (Optional[ILogGroup]) – A CloudWatch Logs log group for connection logging. Default: - a new group is created

  • log_stream (Optional[ILogStream]) – A CloudWatch Logs log stream for connection logging. Default: - a new stream is created

  • port (Optional[VpnPort]) – The port number to assign to the Client VPN endpoint for TCP and UDP traffic. Default: VpnPort.HTTPS

  • security_groups (Optional[Sequence[ISecurityGroup]]) – The security groups to apply to the target network. Default: - a new security group is created

  • self_service_portal (Optional[bool]) – Specify whether to enable the self-service portal for the Client VPN endpoint. Default: true

  • server_certificate_arn (str) – The ARN of the server certificate.

  • split_tunnel (Optional[bool]) – Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint. Default: false

  • transport_protocol (Optional[TransportProtocol]) – The transport protocol to be used by the VPN session. Default: TransportProtocol.UDP

  • user_based_authentication (Optional[ClientVpnUserBasedAuthentication]) – The type of user-based authentication to use. Default: - use mutual authentication

  • vpc_subnets (Optional[SubnetSelection]) – Subnets to associate to the client VPN endpoint. Default: - the VPC default strategy

Example:

endpoint = vpc.add_client_vpn_endpoint("Endpoint",
    cidr="10.100.0.0/16",
    server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
    user_based_authentication=ec2.ClientVpnUserBasedAuthentication.federated(saml_provider),
    authorize_all_users_to_vpc_cidr=False
)

endpoint.add_authorization_rule("Rule",
    cidr="10.0.10.0/32",
    group_id="group-id"
)

Attributes

authorize_all_users_to_vpc_cidr

Whether to authorize all users to the VPC CIDR.

This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead.

Default

true

Return type

Optional[bool]

cidr

The IPv4 address range, in CIDR notation, from which to assign client IP addresses.

The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually.

Changing the address range will replace the Client VPN endpoint.

The CIDR block should be /22 or greater.

Return type

str

client_certificate_arn

The ARN of the client certificate for mutual authentication.

The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM).

Default
  • use user-based authentication

Return type

Optional[str]

client_connection_handler

The AWS Lambda function used for connection authorization.

The name of the Lambda function must begin with the AWSClientVPN- prefix

Default
  • no connection handler

Return type

Optional[IClientVpnConnectionHandler]

description

A brief description of the Client VPN endpoint.

Default
  • no description

Return type

Optional[str]

dns_servers

Information about the DNS servers to be used for DNS resolution.

A Client VPN endpoint can have up to two DNS servers.

Default
  • use the DNS address configured on the device

Return type

Optional[List[str]]

log_group

A CloudWatch Logs log group for connection logging.

Default
  • a new group is created

Return type

Optional[ILogGroup]

log_stream

A CloudWatch Logs log stream for connection logging.

Default
  • a new stream is created

Return type

Optional[ILogStream]

logging

Whether to enable connections logging.

Default

true

Return type

Optional[bool]

port

The port number to assign to the Client VPN endpoint for TCP and UDP traffic.

Default

VpnPort.HTTPS

Return type

Optional[VpnPort]

security_groups

The security groups to apply to the target network.

Default
  • a new security group is created

Return type

Optional[List[ISecurityGroup]]

self_service_portal

Specify whether to enable the self-service portal for the Client VPN endpoint.

Default

true

Return type

Optional[bool]

server_certificate_arn

The ARN of the server certificate.

Return type

str

split_tunnel

Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.

Default

false

See

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html

Return type

Optional[bool]

transport_protocol

The transport protocol to be used by the VPN session.

Default

TransportProtocol.UDP

Return type

Optional[TransportProtocol]

user_based_authentication

The type of user-based authentication to use.

Default
  • use mutual authentication

See

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html

Return type

Optional[ClientVpnUserBasedAuthentication]

vpc_subnets

Subnets to associate to the client VPN endpoint.

Default
  • the VPC default strategy

Return type

Optional[SubnetSelection]