ClientVpnEndpointOptions

class aws_cdk.aws_ec2.ClientVpnEndpointOptions(*, cidr, server_certificate_arn, authorize_all_users_to_vpc_cidr=None, client_certificate_arn=None, client_connection_handler=None, client_login_banner=None, description=None, dns_servers=None, logging=None, log_group=None, log_stream=None, port=None, security_groups=None, self_service_portal=None, session_timeout=None, split_tunnel=None, transport_protocol=None, user_based_authentication=None, vpc_subnets=None)

Bases: object

Options for a client VPN endpoint.

Parameters:

cidr (str) – The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. Changing the address range will replace the Client VPN endpoint. The CIDR block should be /22 or greater.
server_certificate_arn (str) – The ARN of the server certificate.
authorize_all_users_to_vpc_cidr (Optional[bool]) – Whether to authorize all users to the VPC CIDR. This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead. Default: true
client_certificate_arn (Optional[str]) – The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication
client_connection_handler (Optional[IClientVpnConnectionHandler]) – The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the AWSClientVPN- prefix Default: - no connection handler
client_login_banner (Optional[str]) – Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client
description (Optional[str]) – A brief description of the Client VPN endpoint. Default: - no description
dns_servers (Optional[Sequence[str]]) – Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device
logging (Optional[bool]) – Whether to enable connections logging. Default: true
log_group (Optional[ILogGroup]) – A CloudWatch Logs log group for connection logging. Default: - a new group is created
log_stream (Optional[ILogStream]) – A CloudWatch Logs log stream for connection logging. Default: - a new stream is created
port (Optional[VpnPort]) – The port number to assign to the Client VPN endpoint for TCP and UDP traffic. Default: VpnPort.HTTPS
security_groups (Optional[Sequence[ISecurityGroup]]) – The security groups to apply to the target network. Default: - a new security group is created
self_service_portal (Optional[bool]) – Specify whether to enable the self-service portal for the Client VPN endpoint. Default: true
session_timeout (Optional[ClientVpnSessionTimeout]) – The maximum VPN session duration time. Default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS
split_tunnel (Optional[bool]) – Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint. Default: false
transport_protocol (Optional[TransportProtocol]) – The transport protocol to be used by the VPN session. Default: TransportProtocol.UDP
user_based_authentication (Optional[ClientVpnUserBasedAuthentication]) – The type of user-based authentication to use. Default: - use mutual authentication
vpc_subnets (Union[SubnetSelection, Dict[str, Any], None]) – Subnets to associate to the client VPN endpoint. Default: - the VPC default strategy

ExampleMetadata:

fixture=client-vpn infused

Example:

endpoint = vpc.add_client_vpn_endpoint("Endpoint",
    cidr="10.100.0.0/16",
    server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
    user_based_authentication=ec2.ClientVpnUserBasedAuthentication.federated(saml_provider),
    authorize_all_users_to_vpc_cidr=False
)

endpoint.add_authorization_rule("Rule",
    cidr="10.0.10.0/32",
    group_id="group-id"
)

Attributes

authorize_all_users_to_vpc_cidr

Whether to authorize all users to the VPC CIDR.

This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead.

Default:: true

cidr

The IPv4 address range, in CIDR notation, from which to assign client IP addresses.

The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually.

Changing the address range will replace the Client VPN endpoint.

The CIDR block should be /22 or greater.

client_certificate_arn

The ARN of the client certificate for mutual authentication.

The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM).

Default:

use user-based authentication

client_connection_handler

The AWS Lambda function used for connection authorization.

The name of the Lambda function must begin with the AWSClientVPN- prefix

Default:

no connection handler

client_login_banner

Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.

UTF-8 encoded characters only. Maximum of 1400 characters.

Default:

no banner is presented to the client

description

A brief description of the Client VPN endpoint.

Default:

no description

dns_servers

Information about the DNS servers to be used for DNS resolution.

A Client VPN endpoint can have up to two DNS servers.

Default:

use the DNS address configured on the device

log_group

A CloudWatch Logs log group for connection logging.

Default:

a new group is created

log_stream

A CloudWatch Logs log stream for connection logging.

Default:

a new stream is created

logging

Whether to enable connections logging.

Default:: true

port

The port number to assign to the Client VPN endpoint for TCP and UDP traffic.

Default:: VpnPort.HTTPS

security_groups

The security groups to apply to the target network.

Default:

a new security group is created

self_service_portal

Specify whether to enable the self-service portal for the Client VPN endpoint.

Default:: true

server_certificate_arn: The ARN of the server certificate.

session_timeout

The maximum VPN session duration time.

Default:: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS

split_tunnel

Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.

Default:: false
See:: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html

transport_protocol

The transport protocol to be used by the VPN session.

Default:: TransportProtocol.UDP

user_based_authentication

The type of user-based authentication to use.

Default:

use mutual authentication

See:

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html

vpc_subnets

Subnets to associate to the client VPN endpoint.

Default:

the VPC default strategy