AWS Client VPN target networks
A target network is a subnet in a VPC. An AWS Client VPN endpoint must have at least one target network to enable clients to connect to it and establish a VPN connection.
For more information about the kinds of access that you can configure (such as enabling your clients to access the internet), see Scenarios and examples for Client VPN.
Client VPN target network requirements
When creating a target network, the following rules apply:
-
The subnet must have a CIDR block with at least a /27 bitmask, for example 10.0.0.0/27. The subnet must also have at least 20 available IP addresses at all times.
-
The subnet's CIDR block cannot overlap with the client CIDR range of the Client VPN endpoint.
-
If you associate more than one subnet with a Client VPN endpoint, each subnet must be in a different Availability Zone. We recommend that you associate at least two subnets to provide Availability Zone redundancy.
-
If you specified a VPC when you created the Client VPN endpoint, the subnet must be in the same VPC. If you haven't yet associated a VPC with the Client VPN endpoint, you can choose any subnet in any VPC.
All further subnet associations must be from the same VPC. To associate a subnet from a different VPC, you must first modify the Client VPN endpoint and change the VPC that's associated with it. For more information, see Modify an AWS Client VPN endpoint.
When you associate a subnet with a Client VPN endpoint, we automatically add the local route of the VPC in which the associated subnet is provisioned to the Client VPN endpoint's route table.
Note
After your target networks are associated, when you add or remove additional CIDRs to your attached VPC, you must perform one of the following operations to update the local route for your Client VPN endpoint route table:
-
Disassociate your Client VPN endpoint from the target network, and then associate the Client VPN endpoint to the target network.
-
Manually add the route to, or remove the route from the Client VPN endpoint route table.
After you associate the first subnet with the Client VPN endpoint, the Client VPN endpoint's
status changes from pending-associate
to available
and clients are
able to establish a VPN connection.