AWS Client VPN quotas - AWS Client VPN
Client VPN quotasUsers and groups quotasGeneral considerations

AWS Client VPN quotas

Your AWS account has the following quotas, formerly referred to as limits, related to Client VPN endpoints. Unless otherwise noted, each quota is Region-specific. You can request increases for some quotas, and other quotas cannot be increased.

To request a quota increase for an adjustable quota, choose Yes in the Client VPN quotas table. For more information, see Requesting a quota increase in the Service Quotas User Guide.

Client VPN quotas

Name Default Adjustable
Authorization rules per Client VPN endpoint 50 Yes
Client VPN disconnect timeout 24 hours No
Client VPN endpoints per Region 5 Yes
Concurrent client connections per Client VPN endpoint

This value depends on the number of subnet associations per endpoint.

  • 1 – 7,000

  • 2 – 36,500

  • 3 – 66,500

  • 4 – 96,500

  • 5 – 126,000

 Yes
Concurrent operations per Client VPN endpoint † 10 No
Entries in a client certificate revocation list for Client VPN endpoints 20,000 No
Routes per Client VPN endpoint 10 Yes

† Operations include:

  • Associate or disassociate subnets

  • Create or delete routes

  • Create or delete inbound and outbound rules

  • Create or delete security groups

Users and groups quotas

When you configure users and groups for Active Directory or a SAML-based IdP, the following quotas apply:

  • Users can belong to a maximum of 200 groups. We ignore any groups after the 200th group.

  • The maximum length for the group ID is 255 characters.

  • The maximum length for the name ID is 255 characters. We truncate characters after the 255th character.

General considerations

Take the following into consideration when you use Client VPN endpoints:

  • If you use Active Directory to authenticate the user, the Client VPN endpoint must belong to the same account as the AWS Directory Service resource used for Active Directory authentication.

  • If you use SAML-based federated authentication to authenticate a user, the Client VPN endpoint must belong to the same account as the IAM SAML identity provider that you create to define the IdP-to-AWS trust relationship. The IAM SAML identity provider can be shared across multiple Client VPN endpoints in the same AWS account.