AWS Client VPN
Administrator Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Authorization Rules

Authorization rules act as firewall rules that grant access to networks. You should have an authorization rule for each network for which you want to grant access.

Add an Authorization Rule to a Client VPN Endpoint

By adding authorization rules, you grant the specific clients access to the specified network.

You can add authorization rules to a Client VPN endpoint using the console and the AWS CLI.

To add an authorization rule to a Client VPN endpoint (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint to which to add the authorization rule, choose Authorization, and choose Authorize ingress.

  4. For Destination network, enter the IP address, in CIDR notation, of the network for which you want to allow access.

  5. Specify which clients are allowed to access the specified network. For For grant access to, do one of the following:

    • To grant access to all clients, choose Allow access to all users.

    • To restrict access to specific clients, choose Allow access to users in a specific Active Directory group, and then for Active Directory group name, enter the security identifier (SID) of the Active Directory group to grant access.

    You can use the Microsoft Powershell Get-ADGroup cmdlet to get the SID. For more information about Get-ADGroup, see the Get-ADGroup command page in the Microsoft Windows 10 and Windows Server 2016 PowerShell Module Reference.

    Example

    Get-ADGroup -Filter 'Name -eq "<Name of the AD Group>"'

  6. For Description, enter a brief description of the authorization rule.

  7. Choose Add authorization rule.

To add an authorization rule to a Client VPN endpoint (AWS CLI)

Use the authorize-client-vpn-ingress command.

Remove an Authorization Rule from a Client VPN Endpoint

By deleting an authorization rule, you remove access to the specified network.

You can remove authorization rules from a Client VPN endpoint using the console and the AWS CLI.

To remove an authorization rule from a Client VPN endpoint (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint to which the authorization rule is added and choose Authorization.

  4. Select the authorization rule to delete, choose Revoke ingress, and choose Revoke ingress.

To remove an authorization rule from a Client VPN endpoint (AWS CLI)

Use the revoke-client-vpn-ingress command.

View Authorization Rules

You can view authorization rules for a specific Client VPN endpoint using the console and the AWS CLI.

To view authorization rules (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint for which to view authorization rules and choose Authorization.

To view authorization rules (AWS CLI)

Use the describe-client-vpn-authorization-rules command.