Modify an AWS Client VPN endpoint - AWS Client VPN

Modify an AWS Client VPN endpoint

You can modify a Client VPN endpoint by using the Amazon VPC Console or the AWS CLI. For more information about the fields you can Client VPN fields you can modify, see Endpoint modification.

Note

Modifications to Client VPN endpoints, including Certificate Revocation List (CRL) changes, will take effect up to 4 hours after a request is accepted by the Client VPN service.

You cannot modify the client IPv4 CIDR range, authentication options, client certificate or transport protocol after the Client VPN endpoint has been created.

To modify a Client VPN endpoint (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint to modify, choose Actions, and then choose Modify Client VPN endpoint.

  4. For Description, enter a brief description for the Client VPN endpoint.

  5. For Server certificate ARN, specify the ARN for the TLS certificate to be used by the server. Clients use the server certificate to authenticate the Client VPN endpoint to which they are connecting.

    Note

    The server certificate must be present in AWS Certificate Manager (ACM) in the region you are creating the Client VPN endpoint. The certificate can either be provisioned with ACM or imported into ACM.

  6. Specify whether to log data about client connections using Amazon CloudWatch Logs. For Enable log details on client connections, do one of the following:

    • To activate client connection logging, turn on Enable log details on client connections. For CloudWatch Logs log group name, select the name of the log group to use. For CloudWatch Logs log stream name, select the name of the log stream to use, or leave this option blank to let us create a log stream for you.

    • To deactivate client connection logging, turn off Enable log details on client connections.

  7. For Client connect handler, to activate the client connect handler turn on Enable client connect handler. For Client Connect Handler ARN, specify the Amazon Resource Name (ARN) of the Lambda function that contains the logic that allows or denies connections.

  8. Turn on or off Enable DNS servers. To use custom DNS servers, for DNS Server 1 IP address and DNS Server 2 IP address, specify the IP addresses of the DNS servers to use. To use VPC DNS server, for either DNS Server 1 IP address or DNS Server 2 IP address, specify the IP addresses, and add the VPC DNS server IP address.

    Note

    Verify that the DNS servers can be reached by clients.

  9. Turn on or off Enable split-tunnel. By default, split-tunnel on a VPN endpoint is off.

  10. For VPC ID, choose the VPC to associate with the Client VPN endpoint. For Security Group IDs, choose one or more of the VPC's security groups to apply to the Client VPN endpoint.

  11. For VPN port, choose the VPN port number. The default is 443.

  12. To generate a self-service portal URL for clients, turn on Enable self-service portal.

  13. For Session timeout hours, choose the desired maximum VPN session duration time in hours from the available options, or leave set to default of 24 hours.

  14. For Disconnect on session timeout, choose if you want to terminate the session when the maximum session time is reached. Choosing this option requires that users reconnect manually to the endpoint when the session times out; otherwise, Client VPN will automatically try to reconnect.

  15. Turn on or off Enable client login banner. If you want to use the client login banner, enter the text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters.

  16. Choose Modify Client VPN endpoint.

To modify a Client VPN endpoint (AWS CLI)

Use the modify-client-vpn-endpoint command.