interface ClientVpnEndpointOptions
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.EC2.ClientVpnEndpointOptions |
 Java | software.amazon.awscdk.services.ec2.ClientVpnEndpointOptions |
 Python | aws_cdk.aws_ec2.ClientVpnEndpointOptions |
 TypeScript (source) | @aws-cdk/aws-ec2 » ClientVpnEndpointOptions |
Options for a client VPN endpoint.
Example
const endpoint = vpc.addClientVpnEndpoint('Endpoint', {
cidr: '10.100.0.0/16',
serverCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id',
userBasedAuthentication: ec2.ClientVpnUserBasedAuthentication.federated(samlProvider),
authorizeAllUsersToVpcCidr: false,
});
endpoint.addAuthorizationRule('Rule', {
cidr: '10.0.10.0/32',
groupId: 'group-id',
});
Properties
| Name | Type | Description |
|---|---|---|
| cidr | string | The IPv4 address range, in CIDR notation, from which to assign client IP addresses. |
| server | string | The ARN of the server certificate. |
| authorize | boolean | Whether to authorize all users to the VPC CIDR. |
| client | string | The ARN of the client certificate for mutual authentication. |
| client | IClient | The AWS Lambda function used for connection authorization. |
| client | string | Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. |
| description? | string | A brief description of the Client VPN endpoint. |
| dns | string[] | Information about the DNS servers to be used for DNS resolution. |
| log | ILog | A CloudWatch Logs log group for connection logging. |
| log | ILog | A CloudWatch Logs log stream for connection logging. |
| logging? | boolean | Whether to enable connections logging. |
| port? | Vpn | The port number to assign to the Client VPN endpoint for TCP and UDP traffic. |
| security | ISecurity[] | The security groups to apply to the target network. |
| self | boolean | Specify whether to enable the self-service portal for the Client VPN endpoint. |
| session | Client | The maximum VPN session duration time. |
| split | boolean | Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint. |
| transport | Transport | The transport protocol to be used by the VPN session. |
| user | Client | The type of user-based authentication to use. |
| vpc | Subnet | Subnets to associate to the client VPN endpoint. |
cidr
Type:
string
The IPv4 address range, in CIDR notation, from which to assign client IP addresses.
The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually.
Changing the address range will replace the Client VPN endpoint.
The CIDR block should be /22 or greater.
serverCertificateArn
Type:
string
The ARN of the server certificate.
authorizeAllUsersToVpcCidr?
Type:
boolean
(optional, default: true)
Whether to authorize all users to the VPC CIDR.
This automatically creates an authorization rule. Set this to false and
use addAuthorizationRule() to create your own rules instead.
clientCertificateArn?
Type:
string
(optional, default: use user-based authentication)
The ARN of the client certificate for mutual authentication.
The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM).
clientConnectionHandler?
Type:
IClient
(optional, default: no connection handler)
The AWS Lambda function used for connection authorization.
The name of the Lambda function must begin with the AWSClientVPN- prefix
clientLoginBanner?
Type:
string
(optional, default: no banner is presented to the client)
Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.
UTF-8 encoded characters only. Maximum of 1400 characters.
description?
Type:
string
(optional, default: no description)
A brief description of the Client VPN endpoint.
dnsServers?
Type:
string[]
(optional, default: use the DNS address configured on the device)
Information about the DNS servers to be used for DNS resolution.
A Client VPN endpoint can have up to two DNS servers.
logGroup?
Type:
ILog
(optional, default: a new group is created)
A CloudWatch Logs log group for connection logging.
logStream?
Type:
ILog
(optional, default: a new stream is created)
A CloudWatch Logs log stream for connection logging.
logging?
Type:
boolean
(optional, default: true)
Whether to enable connections logging.
port?
Type:
Vpn
(optional, default: VpnPort.HTTPS)
The port number to assign to the Client VPN endpoint for TCP and UDP traffic.
securityGroups?
Type:
ISecurity[]
(optional, default: a new security group is created)
The security groups to apply to the target network.
selfServicePortal?
Type:
boolean
(optional, default: true)
Specify whether to enable the self-service portal for the Client VPN endpoint.
sessionTimeout?
Type:
Client
(optional, default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS)
The maximum VPN session duration time.
splitTunnel?
Type:
boolean
(optional, default: false)
Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.
See also: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html
transportProtocol?
Type:
Transport
(optional, default: TransportProtocol.UDP)
The transport protocol to be used by the VPN session.
userBasedAuthentication?
Type:
Client
(optional, default: use mutual authentication)
The type of user-based authentication to use.
See also: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
vpcSubnets?
Type:
Subnet
(optional, default: the VPC default strategy)
Subnets to associate to the client VPN endpoint.