class aws_cdk.aws_ec2.ClientVpnEndpoint(scope, id, *, vpc, cidr, server_certificate_arn, authorize_all_users_to_vpc_cidr=None, client_certificate_arn=None, client_connection_handler=None, client_login_banner=None, description=None, dns_servers=None, logging=None, log_group=None, log_stream=None, port=None, security_groups=None, self_service_portal=None, session_timeout=None, split_tunnel=None, transport_protocol=None, user_based_authentication=None, vpc_subnets=None)

Bases: Resource

A client VPN connnection.


fixture=client-vpn infused


endpoint = vpc.add_client_vpn_endpoint("Endpoint",

  • scope (Construct) –

  • id (str) –

  • vpc (IVpc) – The VPC to connect to.

  • cidr (str) – The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. Changing the address range will replace the Client VPN endpoint. The CIDR block should be /22 or greater.

  • server_certificate_arn (str) – The ARN of the server certificate.

  • authorize_all_users_to_vpc_cidr (Optional[bool]) – Whether to authorize all users to the VPC CIDR. This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead. Default: true

  • client_certificate_arn (Optional[str]) – The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication

  • client_connection_handler (Optional[IClientVpnConnectionHandler]) – The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the AWSClientVPN- prefix Default: - no connection handler

  • client_login_banner (Optional[str]) – Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client

  • description (Optional[str]) – A brief description of the Client VPN endpoint. Default: - no description

  • dns_servers (Optional[Sequence[str]]) – Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device

  • logging (Optional[bool]) – Whether to enable connections logging. Default: true

  • log_group (Optional[ILogGroup]) – A CloudWatch Logs log group for connection logging. Default: - a new group is created

  • log_stream (Optional[ILogStream]) – A CloudWatch Logs log stream for connection logging. Default: - a new stream is created

  • port (Optional[VpnPort]) – The port number to assign to the Client VPN endpoint for TCP and UDP traffic. Default: VpnPort.HTTPS

  • security_groups (Optional[Sequence[ISecurityGroup]]) – The security groups to apply to the target network. Default: - a new security group is created

  • self_service_portal (Optional[bool]) – Specify whether to enable the self-service portal for the Client VPN endpoint. Default: true

  • session_timeout (Optional[ClientVpnSessionTimeout]) – The maximum VPN session duration time. Default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS

  • split_tunnel (Optional[bool]) – Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint. Default: false

  • transport_protocol (Optional[TransportProtocol]) – The transport protocol to be used by the VPN session. Default: TransportProtocol.UDP

  • user_based_authentication (Optional[ClientVpnUserBasedAuthentication]) – The type of user-based authentication to use. Default: - use mutual authentication

  • vpc_subnets (Union[SubnetSelection, Dict[str, Any], None]) – Subnets to associate to the client VPN endpoint. Default: - the VPC default strategy


add_authorization_rule(id, *, cidr, description=None, group_id=None)

Adds an authorization rule to this endpoint.

  • id (str) –

  • cidr (str) – The IPv4 address range, in CIDR notation, of the network for which access is being authorized.

  • description (Optional[str]) – A brief description of the authorization rule. Default: - no description

  • group_id (Optional[str]) – The ID of the group to grant access to, for example, the Active Directory group or identity provider (IdP) group. Default: - authorize all groups

Return type:


add_route(id, *, cidr, target, description=None)

Adds a route to this endpoint.

  • id (str) –

  • cidr (str) – The IPv4 address range, in CIDR notation, of the route destination. For example: - To add a route for Internet access, enter - To add a route for a peered VPC, enter the peered VPC’s IPv4 CIDR range - To add a route for an on-premises network, enter the AWS Site-to-Site VPN connection’s IPv4 CIDR range - To add a route for the local network, enter the client CIDR range

  • target (ClientVpnRouteTarget) – The target for the route.

  • description (Optional[str]) – A brief description of the authorization rule. Default: - no description

Return type:



Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


policy (RemovalPolicy) –

Return type:



Returns a string representation of this construct.

Return type:




Allows specify security group connections for the endpoint.


The endpoint ID.


The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


The construct tree node associated with this construct.


The stack in which this resource is defined.


Dependable that can be depended upon to force target networks associations.

Static Methods

classmethod from_endpoint_attributes(scope, id, *, endpoint_id, security_groups)

Import an existing client VPN endpoint.

  • scope (Construct) –

  • id (str) –

  • endpoint_id (str) – The endpoint ID.

  • security_groups (Sequence[ISecurityGroup]) – The security groups associated with the endpoint.

Return type:


classmethod is_construct(x)

Return whether the given object is a Construct.


x (Any) –

Return type:


classmethod is_resource(construct)

Check whether the given construct is a Resource.


construct (IConstruct) –

Return type: