Building durable VPNs with AWS Managed VPN

We are currently living challenging times because of COVID-19. Many people are recommended to work remotely from home to minimise the risk of spreading the virus. Unfortunately a lot of companies don’t have a secure remote work environment. Some companies have intranet software and websites that are only accessible from the internal network. To grant remote workers access to the intranet would basically mean opening the whole intranet to the world. This is of course not what companies want to do. Having a secure virtual private network (VPN) would allow remote workers to access intranet by just whitelisting the VPN’s public IP-address in intranet’s firewall. Building a secure and scalable on-premise VPN from scratch can be really slow and expensive. That is why we show in this post how to build one using AWS Client VPN

Introduction to AWS Client VPN

AWS Client VPN is a fully managed VPN solution from AWS, based on OpenVPN that was introduced in late 2018 [1]. It supports client authentication using Active Directory (AD) and certificate-based authentication. AD support is integrated to AWS Directory Service. The service scales automatically up and down with the number of connections. The maximum number of concurrent client connections is 2000 per Client VPN endpoint [2]. You are charged for the number of active VPN client connections per hour and the number of subnets that are associated with Client VPN per hour.


Client VPN uses subnets as target networks. These subnets will host the AWS Elastic Network Interfaces (ENIs) for the VPN connections. These connections will be routed to the VPC NAT gateway within the same Availability Zone (AZ) for internet connection. NAT Gateways have a static IP attached to them, which can be whitelisted for intranet access. You can associate a minimum of one subnet with VPN, but for higher availability it is recommended to have multiple subnets associated.

Client VPN has a pool of IP-addresses for clients. The CIDR block of the client pool must be /22 or greater and the private subnet associated with AWS Client VPN must be /27 or greater. The CIDR block of the VPN’s IP-address pool can not overlap either one [3].

Let’s build!

We’ve created a public GitHub repository for all of the templates. See the in the repository for instructions on building a scalable and durable VPN with certificate-based authentication in the AWS cloud easily and crazy fast.

[1] Introducing AWS Client VPN to Securely Access AWS and On-Premises Resources.

[2] AWS Client VPN Quotas

[3] Getting Started with Client VPN

Heikki Ma
Heikki Ma