ClientVpnEndpointOptions
- class aws_cdk.aws_ec2.ClientVpnEndpointOptions(*, cidr, server_certificate_arn, authorize_all_users_to_vpc_cidr=None, client_certificate_arn=None, client_connection_handler=None, client_login_banner=None, description=None, dns_servers=None, logging=None, log_group=None, log_stream=None, port=None, security_groups=None, self_service_portal=None, session_timeout=None, split_tunnel=None, transport_protocol=None, user_based_authentication=None, vpc_subnets=None)
Bases:
object
Options for a client VPN endpoint.
- Parameters:
cidr (
str
) – The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. Changing the address range will replace the Client VPN endpoint. The CIDR block should be /22 or greater.server_certificate_arn (
str
) – The ARN of the server certificate.authorize_all_users_to_vpc_cidr (
Optional
[bool
]) – Whether to authorize all users to the VPC CIDR. This automatically creates an authorization rule. Set this tofalse
and useaddAuthorizationRule()
to create your own rules instead. Default: trueclient_certificate_arn (
Optional
[str
]) – The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authenticationclient_connection_handler (
Optional
[IClientVpnConnectionHandler
]) – The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with theAWSClientVPN-
prefix Default: - no connection handlerclient_login_banner (
Optional
[str
]) – Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the clientdescription (
Optional
[str
]) – A brief description of the Client VPN endpoint. Default: - no descriptiondns_servers (
Optional
[Sequence
[str
]]) – Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the devicelogging (
Optional
[bool
]) – Whether to enable connections logging. Default: truelog_group (
Optional
[ILogGroup
]) – A CloudWatch Logs log group for connection logging. Default: - a new group is createdlog_stream (
Optional
[ILogStream
]) – A CloudWatch Logs log stream for connection logging. Default: - a new stream is createdport (
Optional
[VpnPort
]) – The port number to assign to the Client VPN endpoint for TCP and UDP traffic. Default: VpnPort.HTTPSsecurity_groups (
Optional
[Sequence
[ISecurityGroup
]]) – The security groups to apply to the target network. Default: - a new security group is createdself_service_portal (
Optional
[bool
]) – Specify whether to enable the self-service portal for the Client VPN endpoint. Default: truesession_timeout (
Optional
[ClientVpnSessionTimeout
]) – The maximum VPN session duration time. Default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURSsplit_tunnel (
Optional
[bool
]) – Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint. Default: falsetransport_protocol (
Optional
[TransportProtocol
]) – The transport protocol to be used by the VPN session. Default: TransportProtocol.UDPuser_based_authentication (
Optional
[ClientVpnUserBasedAuthentication
]) – The type of user-based authentication to use. Default: - use mutual authenticationvpc_subnets (
Union
[SubnetSelection
,Dict
[str
,Any
],None
]) – Subnets to associate to the client VPN endpoint. Default: - the VPC default strategy
- ExampleMetadata:
fixture=client-vpn infused
Example:
endpoint = vpc.add_client_vpn_endpoint("Endpoint", cidr="10.100.0.0/16", server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id", user_based_authentication=ec2.ClientVpnUserBasedAuthentication.federated(saml_provider), authorize_all_users_to_vpc_cidr=False ) endpoint.add_authorization_rule("Rule", cidr="10.0.10.0/32", group_id="group-id" )
Attributes
- authorize_all_users_to_vpc_cidr
Whether to authorize all users to the VPC CIDR.
This automatically creates an authorization rule. Set this to
false
and useaddAuthorizationRule()
to create your own rules instead.- Default:
true
- cidr
The IPv4 address range, in CIDR notation, from which to assign client IP addresses.
The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually.
Changing the address range will replace the Client VPN endpoint.
The CIDR block should be /22 or greater.
- client_certificate_arn
The ARN of the client certificate for mutual authentication.
The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM).
- Default:
use user-based authentication
- client_connection_handler
The AWS Lambda function used for connection authorization.
The name of the Lambda function must begin with the
AWSClientVPN-
prefix- Default:
no connection handler
- client_login_banner
Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.
UTF-8 encoded characters only. Maximum of 1400 characters.
- Default:
no banner is presented to the client
- description
A brief description of the Client VPN endpoint.
- Default:
no description
- dns_servers
Information about the DNS servers to be used for DNS resolution.
A Client VPN endpoint can have up to two DNS servers.
- Default:
use the DNS address configured on the device
- log_group
A CloudWatch Logs log group for connection logging.
- Default:
a new group is created
- log_stream
A CloudWatch Logs log stream for connection logging.
- Default:
a new stream is created
- logging
Whether to enable connections logging.
- Default:
true
- port
The port number to assign to the Client VPN endpoint for TCP and UDP traffic.
- Default:
VpnPort.HTTPS
- security_groups
The security groups to apply to the target network.
- Default:
a new security group is created
- self_service_portal
Specify whether to enable the self-service portal for the Client VPN endpoint.
- Default:
true
- server_certificate_arn
The ARN of the server certificate.
- session_timeout
The maximum VPN session duration time.
- Default:
ClientVpnSessionTimeout.TWENTY_FOUR_HOURS
- split_tunnel
Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.
- transport_protocol
The transport protocol to be used by the VPN session.
- Default:
TransportProtocol.UDP
- user_based_authentication
The type of user-based authentication to use.
- Default:
use mutual authentication
- See:
- vpc_subnets
Subnets to associate to the client VPN endpoint.
- Default:
the VPC default strategy