Class ClientVpnEndpointOptions

Options for a client VPN endpoint.

Inheritance

System.Object

ClientVpnEndpointOptions

Implements

IClientVpnEndpointOptions

Namespace: Amazon.CDK.AWS.EC2

Assembly: Amazon.CDK.Lib.dll

Syntax (csharp)

public class ClientVpnEndpointOptions : Object, IClientVpnEndpointOptions

Syntax (vb)

Public Class ClientVpnEndpointOptions
    Inherits Object
    Implements IClientVpnEndpointOptions

Remarks

ExampleMetadata: fixture=client-vpn infused

Examples

var endpoint = vpc.AddClientVpnEndpoint("Endpoint", new ClientVpnEndpointOptions {
    Cidr = "10.100.0.0/16",
    ServerCertificateArn = "arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
    UserBasedAuthentication = ClientVpnUserBasedAuthentication.Federated(samlProvider),
    AuthorizeAllUsersToVpcCidr = false
});

endpoint.AddAuthorizationRule("Rule", new ClientVpnAuthorizationRuleOptions {
    Cidr = "10.0.10.0/32",
    GroupId = "group-id"
});

Synopsis

Constructors

ClientVpnEndpointOptions()

Properties

AuthorizeAllUsersToVpcCidr	Whether to authorize all users to the VPC CIDR.
Cidr	The IPv4 address range, in CIDR notation, from which to assign client IP addresses.
ClientCertificateArn	The ARN of the client certificate for mutual authentication.
ClientConnectionHandler	The AWS Lambda function used for connection authorization.
ClientLoginBanner	Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.
Description	A brief description of the Client VPN endpoint.
DnsServers	Information about the DNS servers to be used for DNS resolution.
Logging	Whether to enable connections logging.
LogGroup	A CloudWatch Logs log group for connection logging.
LogStream	A CloudWatch Logs log stream for connection logging.
Port	The port number to assign to the Client VPN endpoint for TCP and UDP traffic.
SecurityGroups	The security groups to apply to the target network.
SelfServicePortal	Specify whether to enable the self-service portal for the Client VPN endpoint.
ServerCertificateArn	The ARN of the server certificate.
SessionTimeout	The maximum VPN session duration time.
SplitTunnel	Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.
TransportProtocol	The transport protocol to be used by the VPN session.
UserBasedAuthentication	The type of user-based authentication to use.
VpcSubnets	Subnets to associate to the client VPN endpoint.

Constructors

ClientVpnEndpointOptions()

public ClientVpnEndpointOptions()

Properties

AuthorizeAllUsersToVpcCidr

Whether to authorize all users to the VPC CIDR.

public Nullable<bool> AuthorizeAllUsersToVpcCidr { get; set; }

Property Value

System.Nullable<System.Boolean>

Remarks

This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead.

Default: true

Cidr

The IPv4 address range, in CIDR notation, from which to assign client IP addresses.

public string Cidr { get; set; }

Property Value

System.String

Remarks

The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually.

Changing the address range will replace the Client VPN endpoint.

The CIDR block should be /22 or greater.

ClientCertificateArn

The ARN of the client certificate for mutual authentication.

public string ClientCertificateArn { get; set; }

Property Value

System.String

Remarks

The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM).

Default: - use user-based authentication

ClientConnectionHandler

The AWS Lambda function used for connection authorization.

public IClientVpnConnectionHandler ClientConnectionHandler { get; set; }

Property Value

IClientVpnConnectionHandler

Remarks

The name of the Lambda function must begin with the AWSClientVPN- prefix

Default: - no connection handler

ClientLoginBanner

Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.

public string ClientLoginBanner { get; set; }

Property Value

System.String

Remarks

UTF-8 encoded characters only. Maximum of 1400 characters.

Default: - no banner is presented to the client

Description

A brief description of the Client VPN endpoint.

public string Description { get; set; }

Property Value

System.String

Remarks

Default: - no description

DnsServers

Information about the DNS servers to be used for DNS resolution.

public string[] DnsServers { get; set; }

Property Value

System.String[]

Remarks

A Client VPN endpoint can have up to two DNS servers.

Default: - use the DNS address configured on the device

Logging

Whether to enable connections logging.

public Nullable<bool> Logging { get; set; }

Property Value

System.Nullable<System.Boolean>

Remarks

Default: true

LogGroup

A CloudWatch Logs log group for connection logging.

public ILogGroup LogGroup { get; set; }

Property Value

ILogGroup

Remarks

Default: - a new group is created

LogStream

A CloudWatch Logs log stream for connection logging.

public ILogStream LogStream { get; set; }

Property Value

ILogStream

Remarks

Default: - a new stream is created

Port

The port number to assign to the Client VPN endpoint for TCP and UDP traffic.

public Nullable<VpnPort> Port { get; set; }

Property Value

System.Nullable<VpnPort>

Remarks

Default: VpnPort.HTTPS

SecurityGroups

The security groups to apply to the target network.

public ISecurityGroup[] SecurityGroups { get; set; }

Property Value

ISecurityGroup[]

Remarks

Default: - a new security group is created

SelfServicePortal

Specify whether to enable the self-service portal for the Client VPN endpoint.

public Nullable<bool> SelfServicePortal { get; set; }

Property Value

System.Nullable<System.Boolean>

Remarks

Default: true

ServerCertificateArn

The ARN of the server certificate.

public string ServerCertificateArn { get; set; }

Property Value

System.String

SessionTimeout

The maximum VPN session duration time.

public Nullable<ClientVpnSessionTimeout> SessionTimeout { get; set; }

Property Value

System.Nullable<ClientVpnSessionTimeout>

Remarks

Default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS

SplitTunnel

Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.

public Nullable<bool> SplitTunnel { get; set; }

Property Value

System.Nullable<System.Boolean>

Remarks

Default: false

See: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html

TransportProtocol

The transport protocol to be used by the VPN session.

public Nullable<TransportProtocol> TransportProtocol { get; set; }

Property Value

System.Nullable<TransportProtocol>

Remarks

Default: TransportProtocol.UDP

UserBasedAuthentication

The type of user-based authentication to use.

public ClientVpnUserBasedAuthentication UserBasedAuthentication { get; set; }

Property Value

ClientVpnUserBasedAuthentication

Remarks

Default: - use mutual authentication

See: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html

VpcSubnets

Subnets to associate to the client VPN endpoint.

public ISubnetSelection VpcSubnets { get; set; }

Property Value

ISubnetSelection

Remarks

Default: - the VPC default strategy

Implements

IClientVpnEndpointOptions