Skip to content

Client VPN

Manual Steps for Setting Up AWS Client VPN with IAM Identity Center (SSO)

This guide outlines the manual steps needed to configure AWS Client VPN using IAM Identity Center (formerly AWS SSO).
Refer to this AWS blog post for additional context.

Step 1: Configure IAM Identity Center (on the AWS Root Account)

Create an Application for the VPN Client

  1. In IAM Identity Center, create a new application with the display name: VPN Client.
  2. Create a group named allow_vpn and add users who should have VPN access and self-service access.
  3. Set the following properties for the application:
  4. Application ACS URL: http://127.0.0.1:35001
  5. SAML Audience: urn:amazon:webservices:clientvpn
  6. Download the SAML metadata file for this application.
  7. Save the application.
  8. Assign the allow_vpn group to the application.
  9. Edit the application's attribute mappings using the table below:
Attribute Mappings
User Attribute in Application Maps to This Value or IAM Identity Center Attribute Format
Subject ${user:email} emailAddress
FirstName ${user:givenName} unspecified
LastName ${user:groups} unspecified
memberOf ${user:familyName} unspecified

Create an Application for VPN Self-Service

  1. Create a second application with the display name: VPN Client Self Service.
  2. Set the following properties:
  3. Application ACS URL: https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml
  4. SAML Audience: urn:amazon:webservices:clientvpn
  5. Download the SAML metadata file for this application.
  6. Save the application.
  7. Assign the allow_vpn group to the application.
  8. Use the same attribute mappings as defined above.

Step 2: Deploy the Client VPN (in a Non-Root AWS Account)

You should deploy the client VPN in a target AWS account (e.g., dev, transit), not the root account.

  1. Move both downloaded metadata XML files to your Infrastructure as Code (IaC) repository.
  2. Use the appropriate module to deploy the client VPN in the target AWS account.
  3. Once deployed, navigate to the Client VPN service in the AWS Console and copy the Self-Service Portal URL.

Step 3: Final Configuration in IAM Identity Center

  1. Return to the root AWS account.
  2. Edit the VPN Client Self Service application you created earlier.
  3. Set the Application Start URL to the Self-Service Portal URL you copied from the Client VPN.

Final Result

Users in the allow_vpn group can now:

  • Open the AWS Access Portal.
  • Go to the Applications tab.
  • Launch the VPN Client Self Service app.
  • Download the VPN client configuration via the self-service portal.

Inputs

Name Description Type Default Required
domain_name The domain name for the VPN string n/a yes
grant_cidr_blocks The CIDR block to grant access to from the VPN list(string) n/a yes
grant_sgs The security groups to grant access to from the VPN 
map(object({
    from_port   = number
    to_port     = number
    protocol    = string
    description = string
  }))
 n/a yes
name The name of the VPN string n/a yes
subnets The subnets where the VPN will be deployed list(string) n/a yes
vpc_cidr_block The CIDR block of the VPC string n/a yes
vpc_id The VPC ID where the VPN will be deployed string n/a yes
vpn_client_metadata The xml metadata file path for the VPN client string n/a yes
vpn_client_self_service_metadata The xml metadata file path for the VPN client self service string n/a yes

Outputs

Name Description
client_vpn_endpoint_id The ID of the Client VPN endpoint
client_vpn_security_group_id The ID of the security group associated with the Client VPN endpoint
self_service_portal_url The URL for the self-service portal of the Client VPN endpoint