Routes
Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table determines where the network traffic is directed. You must configure authorization rules for each Client VPN endpoint route to specify which clients have access to the destination network.
When you associate a subnet from a VPC with a Client VPN endpoint, a route for the VPC is automatically added to the Client VPN endpoint's route table. To enable access for additional networks, such as peered VPCs, on-premises networks, the local network (to enable clients to communicate with each other), or the internet, you must manually add a route to the Client VPN endpoint's route table.
Note
If you are associating multiple subnets to the Client VPN endpoint, you should make sure to create a route for each subnet as described here Access to a peered VPC, Amazon S3, or the internet is intermittent. Each associated subnet should have an identical set of routes.
Contents
Split-tunnel on Client VPN endpoint considerations
When you use split-tunnel on a Client VPN endpoint, all of the routes that are in the Client VPN route tables are added to the client route table when the VPN is established. If you add a route after the VPN is established, you must reset the connection so that the new route is sent to the client.
We recommend that you account for the number of routes that the client device can handle before you modify the Client VPN endpoint route table.
Create an endpoint route
When you create a route, you specify how traffic for the destination network should be directed.
To allow clients to access the internet, add a destination 0.0.0.0/0 route.
You can add routes to a Client VPN endpoint by using the console and the AWS CLI.
To create a Client VPN endpoint route (console)
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Client VPN Endpoints.
-
Select the Client VPN endpoint to which to add the route, choose Route table, and then choose Create route.
-
For Route destination, specify the IPv4 CIDR range for the destination network. For example:
-
To add a route for the VPC of the Client VPN endpoint, enter the VPC's IPv4 CIDR range.
-
To add a route for internet access, enter
0.0.0.0/0. -
To add a route for a peered VPC, enter the peered VPC's IPv4 CIDR range.
-
To add a route for an on-premises network, enter the AWS Site-to-Site VPN connection's IPv4 CIDR range.
-
-
For Subnet ID for target network association, select the subnet that is associated with the Client VPN endpoint.
Alternatively, if you're adding a route for the local Client VPN endpoint network, select
local. -
(Optional) For Description, enter a brief description for the route.
-
Choose Create route.
To create a Client VPN endpoint route (AWS CLI)
Use the create-client-vpn-route
View endpoint routes
You can view the routes for a specific Client VPN endpoint by using the console or the AWS CLI.
To view Client VPN endpoint routes (console)
-
In the navigation pane, choose Client VPN Endpoints.
-
Select the Client VPN endpoint for which to view routes and choose Route table.
To view Client VPN endpoint routes (AWS CLI)
Use the describe-client-vpn-routes
Delete an endpoint route
You can only delete routes that you added manually. You can't delete routes that were automatically added when you associated a subnet with the Client VPN endpoint. To delete routes that were automatically added, you must disassociate the subnet that initiated its creation from the Client VPN endpoint.
You can delete a route from a Client VPN endpoint by using the console or the AWS CLI.
To delete a Client VPN endpoint route (console)
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Client VPN Endpoints.
-
Select the Client VPN endpoint from which to delete the route and choose Route table.
-
Select the route to delete, choose Delete route, and choose Delete route.
To delete a Client VPN endpoint route (AWS CLI)
Use the delete-client-vpn-route
