Access to an on-premises network - AWS Client VPN

Access to an on-premises network

The configuration for this scenario includes access to an on-premises network only. We recommend this configuration if you need to give clients access to the resources inside an on-premises network only.

Client VPN accessing an on-premises network

Before you begin, do the following:

  • Create or identify a VPC with at least one subnet. Identify the subnet in the VPC to associate with the Client VPN endpoint and note its IPv4 CIDR ranges.

  • Identify a suitable CIDR range for the client IP addresses that does not overlap with the VPC CIDR.

  • Review the rules and limitations for Client VPN endpoints in Limitations and rules of Client VPN.

To implement this configuration

  1. Enable communication between the VPC and your own on-premises network over an AWS Site-to-Site VPN connection. To do this, perform the steps described in Getting started in the AWS Site-to-Site VPN User Guide.

    Note

    Alternatively, you can implement this scenario by using an AWS Direct Connect connection between your VPC and your on-premises network. For more information, see the AWS Direct Connect User Guide.

  2. Test the AWS Site-to-Site VPN connection you created in the previous step. To do this, perform the steps described in Testing the Site-to-Site VPN connection in the AWS Site-to-Site VPN User Guide. If the VPN connection is functioning as expected, continue to the next step.

  3. Create a Client VPN endpoint in the same Region as the VPC. To do this, perform the steps described in Create a Client VPN endpoint.

  4. Associate the subnet that you identified earlier with the Client VPN endpoint. To do this, perform the steps described in Associate a target network with a Client VPN endpoint and select the VPC and the subnet.

  5. Add a route that allows access to the AWS Site-to-Site VPN connection. To do this, perform the steps described in Create an endpoint route; for Route destination, enter the IPv4 CIDR range of the AWS Site-to-Site VPN connection, and for Target VPC Subnet ID, select the subnet you associated with the Client VPN endpoint.

  6. Add an authorization rule to give clients access to the AWS Site-to-Site VPN connection. To do this, perform the steps described in Add an authorization rule to a Client VPN endpoint; for Destination network, enter the AWS Site-to-Site VPN connection IPv4 CIDR range.