Access to the internet - AWS Client VPN

Access to the internet

The configuration for this scenario includes a single target VPC and access to the internet. We recommend this configuration if you need to give clients access to the resources inside a single target VPC and allow access to the internet.

If you completed the Getting started with Client VPN tutorial, then you've already implemented this scenario.


	            Client VPN accessing the internet

Before you begin, do the following:

  • Create or identify a VPC with at least one subnet. Identify the subnet in the VPC that you want to associate with the Client VPN endpoint and note its IPv4 CIDR ranges. For more information, see VPCs and Subnets in the Amazon VPC User Guide.

  • Identify a suitable CIDR range for the client IP addresses that does not overlap with the VPC CIDR.

  • Review the rules and limitations for Client VPN endpoints in Limitations and rules of Client VPN.

  • Ensure that the security group that you'll use for the Client VPN endpoint allows inbound and outbound traffic to and from your clients. For more information, see Security groups.

To implement this configuration

  1. Ensure that the security group that you'll use for the Client VPN endpoint allows inbound and outbound traffic to and from the internet. To do this, add inbound and outbound rules that allow traffic to and from 0.0.0.0/0 for HTTP and HTTPS traffic.

  2. Create an internet gateway and attach it to your VPC. For more information, see Creating and Attaching an Internet Gateway in the Amazon VPC User Guide.

  3. Make your subnet public by adding a route to the internet gateway to its route table. In the VPC console, choose Subnets, select the subnet you intend to associate with the Client VPN endpoint, choose Route Table, and then choose the route table ID. Choose Actions, choose Edit routes, and choose Add route. For Destination, enter 0.0.0.0/0, and for Target, choose the internet gateway from the previous step.

  4. Create a Client VPN endpoint in the same region as the VPC. To do this, perform the steps described in Create a Client VPN endpoint.

  5. Associate the subnet that you identified earlier with the Client VPN endpoint. To do this, perform the steps described in Associate a target network with a Client VPN endpoint and select the VPC and the subnet.

  6. Add an authorization rule to give clients access to the VPC. To do this, perform the steps described in Add an authorization rule to a Client VPN endpoint; and for Destination network to enable , enter the IPv4 CIDR range of the VPC.

  7. Add a route that enables traffic to the internet. To do this, perform the steps described in Create an endpoint route; for Route destination, enter 0.0.0.0/0, and for Target VPC Subnet ID, select the subnet you associated with the Client VPN endpoint.

  8. Add an authorization rule to give clients access to the internet. To do this, perform the steps described in Add an authorization rule to a Client VPN endpoint; for Destination network, enter 0.0.0.0/0.