Client-to-client access - AWS Client VPN

Client-to-client access

The configuration for this scenario enables clients to access a single VPC, and enables clients to route traffic to each other. We recommend this configuration if the clients that connect to the same Client VPN endpoint also need to communicate with each other. Clients can communicate with each other using the unique IP address that's assigned to them from the client CIDR range when they connect to the Client VPN endpoint.


                Client-to-client access

Before you begin, do the following:

  • Create or identify a VPC with at least one subnet. Identify the subnet in the VPC that you want to associate with the Client VPN endpoint and note its IPv4 CIDR ranges. For more information, see VPCs and Subnets in the Amazon VPC User Guide.

  • Identify a suitable CIDR range for the client IP addresses that does not overlap with the VPC CIDR.

  • Review the rules and limitations for Client VPN endpoints in Limitations and rules of Client VPN.

To implement this configuration

  1. Create a Client VPN endpoint in the same Region as the VPC. To do this, perform the steps described in Create a Client VPN endpoint.

  2. Associate the subnet that you identified earlier with the Client VPN endpoint. To do this, perform the steps described in Associate a target network with a Client VPN endpoint and select the VPC and the subnet.

  3. Add a route to the local network in the route table. To do this, perform the steps described in Create an endpoint route. For Route destination, enter the client CIDR range, and for Target VPC Subnet ID, specify local.

  4. Add an authorization rule to give clients access to the VPC. To do this, perform the steps described in Add an authorization rule to a Client VPN endpoint. For Destination network to enable , enter the IPv4 CIDR range of the VPC.

  5. Add an authorization rule to give clients access to the client CIDR range. To do this, perform the steps described in Add an authorization rule to a Client VPN endpoint. For Destination network to enable, enter the client CIDR range.