AWS Client VPN
Administrator Guide

Routes

Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table determines where the network traffic is directed. You must configure authorization rules for each Client VPN endpoint route to specify which clients have access to the destination network.

When you associate a subnet from a VPC with a Client VPN endpoint, a route for the VPC is automatically added to the Client VPN endpoint's route table. To enable access for additional networks, such as peered VPCs, on-premises networks, and the Internet, you must manually add a route to the Client VPN endpoint's route table.

Create an Endpoint Route

When you create a route, you specify how traffic for the destination network should be directed.

To allow clients to access the internet, add a destination 0.0.0.0/0 route.

You can add routes to a Client VPN endpoint using the console and the AWS CLI.

To create a Client VPN endpoint route (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint to which to add the route, choose Route Table, and choose Create Route.

  4. For Route destination, specify the IPv4 CIDR range for the destination network. For example:

    • To add a route for internet access, enter 0.0.0.0/0

    • To add a route for a peered VPC, enter the peered VPC's IPv4 CIDR range

    • To add a route for an on-premises network, enter the AWS Site-to-Site VPN connection's IPv4 CIDR range

  5. For Target VPC Subnet ID, select the subnet that is associated with the Client VPN endpoint.

  6. For Description, enter a brief description for the route.

  7. Choose Create Route.

To create a Client VPN endpoint route (AWS CLI)

Use the create-client-vpn-route command.

View Endpoint Routes

You can view the routes for a specific Client VPN endpoint using the console or the AWS CLI.

To view Client VPN endpoint routes (console)

  1. In the navigation pane, choose Client VPN Endpoints.

  2. Select the Client VPN endpoint for which to view routes and choose Route Table.

To view Client VPN endpoint routes (AWS CLI)

Use the describe-client-vpn-route command.

Delete an Endpoint Route

You can only delete routes that you added manually. You can't delete routes that were automatically added when you associated a subnet with the Client VPN endpoint. To delete routes that were automatically added, you must disassociate the subnet that initiated its creation from the Client VPN endpoint.

You can delete a route from a Client VPN endpoint using the console or the AWS CLI.

To delete a Client VPN endpoint route (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint from which to delete the route and choose Route Table.

  4. Select the route to delete, choose Delete Route, and choose Delete Route.

To delete a Client VPN endpoint route (AWS CLI)

Use the delete-client-vpn-route command.