aws-cdk-lib.aws_ec2.ClientVpnEndpoint

class ClientVpnEndpoint (construct)

LanguageType name
.NETAmazon.CDK.AWS.EC2.ClientVpnEndpoint
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsec2#ClientVpnEndpoint
Javasoftware.amazon.awscdk.services.ec2.ClientVpnEndpoint
Pythonaws_cdk.aws_ec2.ClientVpnEndpoint
TypeScript (source)aws-cdk-lib » aws_ec2 » ClientVpnEndpoint

Implements IConstruct, IDependable, IResource, IClientVpnEndpoint, IConnectable

A client VPN connnection.

Example

const endpoint = vpc.addClientVpnEndpoint('Endpoint', {
  cidr: '10.100.0.0/16',
  serverCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id',
  userBasedAuthentication: ec2.ClientVpnUserBasedAuthentication.federated(samlProvider),
  authorizeAllUsersToVpcCidr: false,
});

endpoint.addAuthorizationRule('Rule', {
  cidr: '10.0.10.0/32',
  groupId: 'group-id',
});

Initializer

new ClientVpnEndpoint(scope: Construct, id: string, props: ClientVpnEndpointProps)

Parameters

  • scope Construct
  • id string
  • props ClientVpnEndpointProps

Construct Props

NameTypeDescription
cidrstringThe IPv4 address range, in CIDR notation, from which to assign client IP addresses.
serverCertificateArnstringThe ARN of the server certificate.
vpcIVpcThe VPC to connect to.
authorizeAllUsersToVpcCidr?booleanWhether to authorize all users to the VPC CIDR.
clientCertificateArn?stringThe ARN of the client certificate for mutual authentication.
clientConnectionHandler?IClientVpnConnectionHandlerThe AWS Lambda function used for connection authorization.
clientLoginBanner?stringCustomizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.
description?stringA brief description of the Client VPN endpoint.
dnsServers?string[]Information about the DNS servers to be used for DNS resolution.
logGroup?ILogGroupA CloudWatch Logs log group for connection logging.
logStream?ILogStreamA CloudWatch Logs log stream for connection logging.
logging?booleanWhether to enable connections logging.
port?VpnPortThe port number to assign to the Client VPN endpoint for TCP and UDP traffic.
securityGroups?ISecurityGroup[]The security groups to apply to the target network.
selfServicePortal?booleanSpecify whether to enable the self-service portal for the Client VPN endpoint.
sessionTimeout?ClientVpnSessionTimeoutThe maximum VPN session duration time.
splitTunnel?booleanIndicates whether split-tunnel is enabled on the AWS Client VPN endpoint.
transportProtocol?TransportProtocolThe transport protocol to be used by the VPN session.
userBasedAuthentication?ClientVpnUserBasedAuthenticationThe type of user-based authentication to use.
vpcSubnets?SubnetSelectionSubnets to associate to the client VPN endpoint.

cidr

Type: string

The IPv4 address range, in CIDR notation, from which to assign client IP addresses.

The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually.

Changing the address range will replace the Client VPN endpoint.

The CIDR block should be /22 or greater.


serverCertificateArn

Type: string

The ARN of the server certificate.


vpc

Type: IVpc

The VPC to connect to.


authorizeAllUsersToVpcCidr?

Type: boolean (optional, default: true)

Whether to authorize all users to the VPC CIDR.

This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead.


clientCertificateArn?

Type: string (optional, default: use user-based authentication)

The ARN of the client certificate for mutual authentication.

The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM).


clientConnectionHandler?

Type: IClientVpnConnectionHandler (optional, default: no connection handler)

The AWS Lambda function used for connection authorization.

The name of the Lambda function must begin with the AWSClientVPN- prefix


clientLoginBanner?

Type: string (optional, default: no banner is presented to the client)

Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.

UTF-8 encoded characters only. Maximum of 1400 characters.


description?

Type: string (optional, default: no description)

A brief description of the Client VPN endpoint.


dnsServers?

Type: string[] (optional, default: use the DNS address configured on the device)

Information about the DNS servers to be used for DNS resolution.

A Client VPN endpoint can have up to two DNS servers.


logGroup?

Type: ILogGroup (optional, default: a new group is created)

A CloudWatch Logs log group for connection logging.


logStream?

Type: ILogStream (optional, default: a new stream is created)

A CloudWatch Logs log stream for connection logging.


logging?

Type: boolean (optional, default: true)

Whether to enable connections logging.


port?

Type: VpnPort (optional, default: VpnPort.HTTPS)

The port number to assign to the Client VPN endpoint for TCP and UDP traffic.


securityGroups?

Type: ISecurityGroup[] (optional, default: a new security group is created)

The security groups to apply to the target network.


selfServicePortal?

Type: boolean (optional, default: true)

Specify whether to enable the self-service portal for the Client VPN endpoint.


sessionTimeout?

Type: ClientVpnSessionTimeout (optional, default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS)

The maximum VPN session duration time.


splitTunnel?

Type: boolean (optional, default: false)

Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.

See also: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html


transportProtocol?

Type: TransportProtocol (optional, default: TransportProtocol.UDP)

The transport protocol to be used by the VPN session.


userBasedAuthentication?

Type: ClientVpnUserBasedAuthentication (optional, default: use mutual authentication)

The type of user-based authentication to use.

See also: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html


vpcSubnets?

Type: SubnetSelection (optional, default: the VPC default strategy)

Subnets to associate to the client VPN endpoint.

Properties

NameTypeDescription
connectionsConnectionsAllows specify security group connections for the endpoint.
endpointIdstringThe endpoint ID.
envResourceEnvironmentThe environment this resource belongs to.
nodeNodeThe tree node.
stackStackThe stack in which this resource is defined.
targetNetworksAssociatedIDependableDependable that can be depended upon to force target networks associations.

connections

Type: Connections

Allows specify security group connections for the endpoint.


endpointId

Type: string

The endpoint ID.


env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


node

Type: Node

The tree node.


stack

Type: Stack

The stack in which this resource is defined.


targetNetworksAssociated

Type: IDependable

Dependable that can be depended upon to force target networks associations.

Methods

NameDescription
addAuthorizationRule(id, props)Adds an authorization rule to this endpoint.
addRoute(id, props)Adds a route to this endpoint.
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
toString()Returns a string representation of this construct.
static fromEndpointAttributes(scope, id, attrs)Import an existing client VPN endpoint.

addAuthorizationRule(id, props)

public addAuthorizationRule(id: string, props: ClientVpnAuthorizationRuleOptions): ClientVpnAuthorizationRule

Parameters

  • id string
  • props ClientVpnAuthorizationRuleOptions

Returns

  • ClientVpnAuthorizationRule

Adds an authorization rule to this endpoint.


addRoute(id, props)

public addRoute(id: string, props: ClientVpnRouteOptions): ClientVpnRoute

Parameters

  • id string
  • props ClientVpnRouteOptions

Returns

  • ClientVpnRoute

Adds a route to this endpoint.


applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


static fromEndpointAttributes(scope, id, attrs)

public static fromEndpointAttributes(scope: Construct, id: string, attrs: ClientVpnEndpointAttributes): IClientVpnEndpoint

Parameters

  • scope Construct
  • id string
  • attrs ClientVpnEndpointAttributes

Returns

  • IClientVpnEndpoint

Import an existing client VPN endpoint.