Class ClientVpnEndpointOptions

Options for a client VPN endpoint.

Inheritance

object

ClientVpnEndpointOptions

Implements

IClientVpnEndpointOptions

Inherited Members

object.GetType()

object.MemberwiseClone()

object.ToString()

object.Equals(object)

object.Equals(object, object)

object.ReferenceEquals(object, object)

object.GetHashCode()

Namespace: Amazon.CDK.AWS.EC2

Assembly: Amazon.CDK.Lib.dll

Syntax (csharp)

public class ClientVpnEndpointOptions : IClientVpnEndpointOptions

Syntax (vb)

Public Class ClientVpnEndpointOptions Implements IClientVpnEndpointOptions

Remarks

ExampleMetadata: fixture=client-vpn infused

Examples

vpc.AddClientVpnEndpoint("Endpoint", new ClientVpnEndpointOptions {
                Cidr = "10.100.0.0/16",
                ServerCertificateArn = "arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
                // Mutual authentication
                ClientCertificateArn = "arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id",
                // User-based authentication
                UserBasedAuthentication = ClientVpnUserBasedAuthentication.Federated(samlProvider)
            });

Synopsis

Constructors

ClientVpnEndpointOptions()

Options for a client VPN endpoint.

Properties

AuthorizeAllUsersToVpcCidr	Whether to authorize all users to the VPC CIDR.
Cidr	The IPv4 address range, in CIDR notation, from which to assign client IP addresses.
ClientCertificateArn	The ARN of the client certificate for mutual authentication.
ClientConnectionHandler	The AWS Lambda function used for connection authorization.
ClientLoginBanner	Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.
ClientRouteEnforcementOptions	Options for Client Route Enforcement.
Description	A brief description of the Client VPN endpoint.
DisconnectOnSessionTimeout	Indicates whether the client VPN session is disconnected after the maximum `sessionTimeout` is reached.
DnsServers	Information about the DNS servers to be used for DNS resolution.
LogGroup	A CloudWatch Logs log group for connection logging.
LogStream	A CloudWatch Logs log stream for connection logging.
Logging	Whether to enable connections logging.
Port	The port number to assign to the Client VPN endpoint for TCP and UDP traffic.
SecurityGroups	The security groups to apply to the target network.
SelfServicePortal	Specify whether to enable the self-service portal for the Client VPN endpoint.
ServerCertificateArn	The ARN of the server certificate.
SessionTimeout	The maximum VPN session duration time.
SplitTunnel	Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.
TransportProtocol	The transport protocol to be used by the VPN session.
UserBasedAuthentication	The type of user-based authentication to use.
VpcSubnets	Subnets to associate to the client VPN endpoint.

Constructors

ClientVpnEndpointOptions()

Options for a client VPN endpoint.

public ClientVpnEndpointOptions()

Remarks

ExampleMetadata: fixture=client-vpn infused

Examples

vpc.AddClientVpnEndpoint("Endpoint", new ClientVpnEndpointOptions {
                Cidr = "10.100.0.0/16",
                ServerCertificateArn = "arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
                // Mutual authentication
                ClientCertificateArn = "arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id",
                // User-based authentication
                UserBasedAuthentication = ClientVpnUserBasedAuthentication.Federated(samlProvider)
            });

Properties

AuthorizeAllUsersToVpcCidr

Whether to authorize all users to the VPC CIDR.

public bool? AuthorizeAllUsersToVpcCidr { get; set; }

Property Value

bool?

Remarks

This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead.

Default: true

Cidr

The IPv4 address range, in CIDR notation, from which to assign client IP addresses.

public string Cidr { get; set; }

Property Value

string

Remarks

The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually.

Changing the address range will replace the Client VPN endpoint.

The CIDR block should be /22 or greater.

ClientCertificateArn

The ARN of the client certificate for mutual authentication.

public string? ClientCertificateArn { get; set; }

Property Value

string

Remarks

The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM).

Default: - use user-based authentication

ClientConnectionHandler

The AWS Lambda function used for connection authorization.

public IClientVpnConnectionHandler? ClientConnectionHandler { get; set; }

Property Value

IClientVpnConnectionHandler

Remarks

The name of the Lambda function must begin with the AWSClientVPN- prefix

Default: - no connection handler

ClientLoginBanner

Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.

public string? ClientLoginBanner { get; set; }

Property Value

string

Remarks

UTF-8 encoded characters only. Maximum of 1400 characters.

Default: - no banner is presented to the client

ClientRouteEnforcementOptions

Options for Client Route Enforcement.

public IClientRouteEnforcementOptions? ClientRouteEnforcementOptions { get; set; }

Property Value

IClientRouteEnforcementOptions

Remarks

Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.

Default: undefined - AWS Client VPN default setting is disable client route enforcement

See: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html

Description

A brief description of the Client VPN endpoint.

public string? Description { get; set; }

Property Value

string

Remarks

Default: - no description

DisconnectOnSessionTimeout

Indicates whether the client VPN session is disconnected after the maximum sessionTimeout is reached.

public bool? DisconnectOnSessionTimeout { get; set; }

Property Value

bool?

Remarks

If true, users are prompted to reconnect client VPN. If false, client VPN attempts to reconnect automatically.

Default: undefined - AWS Client VPN default is true

See: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-max-duration.html

DnsServers

Information about the DNS servers to be used for DNS resolution.

public string[]? DnsServers { get; set; }

Property Value

string[]

Remarks

A Client VPN endpoint can have up to two DNS servers.

Default: - use the DNS address configured on the device

LogGroup

A CloudWatch Logs log group for connection logging.

public ILogGroup? LogGroup { get; set; }

Property Value

ILogGroup

Remarks

Default: - a new group is created

LogStream

A CloudWatch Logs log stream for connection logging.

public ILogStream? LogStream { get; set; }

Property Value

ILogStream

Remarks

Default: - a new stream is created

Logging

Whether to enable connections logging.

public bool? Logging { get; set; }

Property Value

bool?

Remarks

Default: true

Port

The port number to assign to the Client VPN endpoint for TCP and UDP traffic.

public VpnPort? Port { get; set; }

Property Value

VpnPort?

Remarks

Default: VpnPort.HTTPS

SecurityGroups

The security groups to apply to the target network.

public ISecurityGroup[]? SecurityGroups { get; set; }

Property Value

ISecurityGroup[]

Remarks

Default: - a new security group is created

SelfServicePortal

Specify whether to enable the self-service portal for the Client VPN endpoint.

public bool? SelfServicePortal { get; set; }

Property Value

bool?

Remarks

Default: true

ServerCertificateArn

The ARN of the server certificate.

public string ServerCertificateArn { get; set; }

Property Value

string

Remarks

ExampleMetadata: fixture=client-vpn infused

SessionTimeout

The maximum VPN session duration time.

public ClientVpnSessionTimeout? SessionTimeout { get; set; }

Property Value

ClientVpnSessionTimeout?

Remarks

Default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS

SplitTunnel

Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.

public bool? SplitTunnel { get; set; }

Property Value

bool?

Remarks

Default: false

See: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html

TransportProtocol

The transport protocol to be used by the VPN session.

public TransportProtocol? TransportProtocol { get; set; }

Property Value

TransportProtocol?

Remarks

Default: TransportProtocol.UDP

UserBasedAuthentication

The type of user-based authentication to use.

public ClientVpnUserBasedAuthentication? UserBasedAuthentication { get; set; }

Property Value

ClientVpnUserBasedAuthentication

Remarks

Default: - use mutual authentication

See: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html

VpcSubnets

Subnets to associate to the client VPN endpoint.

public ISubnetSelection? VpcSubnets { get; set; }

Property Value

ISubnetSelection

Remarks

Default: - the VPC default strategy

Implements

IClientVpnEndpointOptions