How do I associate a target network with a Client VPN endpoint?

Short description

A target network is a subnet in a virtual private cloud (VPC). After you associate a subnet with a Client VPN endpoint, clients can establish a VPN session. You can associate multiple subnets with a Client VPN endpoint. All subnets must be from the same VPC.

Important:

• The clients can establish a VPN connection to the Client VPN endpoint only after you associate a target network with the Client VPN endpoint.
• To establish a VPN session with the Client VPN endpoint, associate a single target network. For redundancy, it's a best practice to associate at least two target networks from two different Availability Zones.
• The subnet that you associate as the target must have a CIDR block with at least a /27 bitmask (for example, 192.168.0.0/27). Also, there must be at least eight available IP addresses in the subnet.
• You can associate a subnet with a Client VPN endpoint. Then, the local route of the VPC that the associated subnet is provisioned in is automatically added to the Client VPN endpoint's route table.

Resolution

Associate a target network with a Client VPN endpoint

1. Open the Amazon VPC console.
2. In the navigation pane, choose Client VPN Endpoints.
3. Select the Client VPN endpoint to associate with the target network.
4. Choose Associations, and then choose Target Network Associate.
5. For VPC, choose the VPC that the subnet is provisioned in.
6. For Subnet to associate, choose the subnet to associate with the Client VPN endpoint.
7. Choose Associate.

Apply a security group to a target network

If you associate the first target network with a Client VPN endpoint, then the VPC's default security group is applied in the associated subnet. After you associate the first target network, you can change the security groups that are applied to the Client VPN endpoint. The required security group rules depend on the type of VPN access that you want to configure.

1. Open the Amazon VPC console.
2. In the navigation pane, choose Client VPN Endpoints.
3. Select the Client VPN endpoint where you plan to apply the security groups.
4. Choose Security Groups, and then select the current security group.
5. Choose Apply Security Groups.
6. Select the new security groups, and then choose Apply Security Groups.

(Optional) Disassociate a target network from a Client VPN endpoint

After you confirm that no clients are connected to the Client VPN endpoint, disassociate unwanted target networks. For the clients to establish a connection to the Client VPN endpoint, you must have at least one target network. If you disassociate all target networks, then the Client VPN endpoint removes the automatically created route that was established when you associated the target networks.

1. Open the Amazon VPC console.
2. In the navigation pane, choose Client VPN Endpoints.
3. Select the Client VPN endpoint that the target network is associated with.
4. Choose Associations.
5. Select the target network to disassociate.
6. Choose Disassociate, and then choose Yes, Disassociate.