Client authentication - AWS Client VPN

Client authentication

Client authentication is implemented at the first point of entry into the AWS Cloud. It is used to determine whether clients are allowed to connect to the Client VPN endpoint. If authentication succeeds, clients connect to the Client VPN endpoint and establish a VPN session. If authentication fails, the connection is denied and the client is prevented from establishing a VPN session.

Client VPN offers the following types of client authentication:

You can use one of methods listed above alone, or a combination of mutual authentication with a user-based method such as the following:

  • Mutual authentication and federated authentication

  • Mutual authentication and Active Directory authentication


To create a Client VPN endpoint, you must provision a server certificate in AWS Certificate Manager, regardless of the type of authentication you use. For more information about creating and provisioning a server certificate, see the steps in Mutual authentication.