Get started with AWS VPN Client

The AWS VPN Client is a managed client-based VPN service that enables you to securely access your resources in AWS cloud and resources in your on-premises network over the Internet. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.

Key Features

1. Secure Connectivity: Encrypts data in transit using industry-standard VPN protocols (e.g., OpenVPN).

2. User Authentication: Integrates with Active Directory, AWS Directory Service, and other identity providers.

3. Granular control: It enables you to implement custom security controls by defining network-based access rules. These rules can be configured at the granularity of Active Directory groups. You can also implement access control using security groups.

4. Managed Service: Reduces operational overhead by handling infrastructure and maintenance.

5. Ease of use: It enables you to access your AWS resources and on-premises resources using a single VPN tunnel.

6. Scalable Access: Can handle thousands of simultaneous connections.

7. Manageability: It enables you to view connection logs, which provide details on client connection attempts. You can also manage active client connections, with the ability to terminate active client connections.

8. Deep integration: It integrates with existing AWS services, including AWS Directory Service and Amazon VPC.

Pricing

You are charged for each endpoint association and each VPN connection on an hourly basis. For more information, see AWS Client VPN pricing.

You are charged for data transfer out from Amazon EC2 to the internet. For more information, see Data Transfer on the Amazon EC2 On-Demand Pricing age.

If you enable connection logging for your Client VPN endpoint, you must create a CloudWatch Logs log group in your account. Charges apply for using log groups. For more information, see Amazon CloudWatch pricing (under Paid tier, choose Logs).

If you enable the client connect handler for your Client VPN endpoint, you must create and invoke a Lambda function. Charges apply for invoking Lambda functions. For more information, see AWS Lambda pricing.

Client VPN endpoints are associated with a target network, which is a subnet in a VPC. If this VPC has an Internet Gateway, AWS associate Elastic IP addresses with the Client VPN elastic network interfaces (ENIs). These Elastic IP addresses are charged as in-use public IPv4 addresses. For more information, see the Public IPv4 Address tab on the VPC pricing page.

Use Cases

1. Remote Workforce: Enable employees to securely access private AWS resources or corporate intranets while working remotely.

2. Secure Development: Allow developers to access internal test or production environments securely.

3. Hybrid Cloud Architecture: Provide secure access to on-premises resources integrated with AWS.

4. Disaster Recovery: Ensure secure access to AWS-hosted recovery environments during outages.

5. Educational Institutions: Allow remote students and faculty to access campus networks securely.

When to Use AWS VPN Client

• Best Use Cases:

  1. Small to Medium Organizations: Quick and managed VPN access for teams.

  2. Remote Access Only: Ideal for teams needing intermittent or occasional secure access to AWS.

  3. Low Latency Not Critical: Works well for general application and file access but might not suit latency-sensitive applications.

  4. Ease of Use is Critical: Ideal for organizations without significant networking expertise, thanks to AWS’s managed setup.

  5. Regulatory Compliance: Encrypted access ensures compliance with regulations like GDPR and HIPAA.

• Alternatives:

  • Site-to-Site VPN: If connectivity between AWS and on-premises networks is constant and requires greater throughput or reliability.

  • Direct Connect: For high-bandwidth, low-latency connections with predictable costs.

When Cost-Effective (AWS Client VPN):

• Best for organizations with fluctuating remote access needs.

• Effective when the number of concurrent users is manageable and data transfer costs are minimal.

Not Cost-Effective (AWS Client VPN):

• For large-scale, always-on connectivity between on-premises and AWS, consider AWS Direct Connect or Site-to-Site VPN.

The AWS VPN Client is a versatile and secure solution for remote access to AWS resources. It is best suited for organizations that prioritize operational simplicity and scalability but may not be cost-effective for large, always-on use cases or high-data-transfer scenarios. Organizations should weigh their specific needs and cost implications before choosing between Client VPN, Site-to-Site VPN, or Direct Connect.

References

• https://github.com/acantril/learn-cantrill-io-labs/tree/master/aws-client-vpn