What is the relationship between the Client VPN Network Association and Client CIDR Block?

0

Let's say my Client VPN CIDR Block is 10.0.0.0/22 and my Client VPN Network Association is 10.100.0.0/27 for a VPC at 10.100.0.0/16.

The Client VPN CIDR Block (10.0.0.0/22) has 1,024 addresses. The Client VPN Network Association has 32 addresses.

Will this cause an issue?

Is this a requirement? Client VPN CIDR Block <= Client VPN Network Association

I don't understand how the two relate to each other.

已提問 2 年前檢視次數 348 次
2 個答案
1
已接受的答案

Hello,

Think of the Client CIDR Block as the Pool of IPs that are handed out to every client that connects to the CVPN. ClientVPN actually does a Source NAT when you connect to the destination.

For example, if you expect to support 8,000 VPN connections to your Client VPN endpoint, specify a minimum client CIDR range size of /18 (16,384 IP addresses), and associate at least 2 subnets with the Client VPN endpoint.

If you’re unsure what the number of expected VPN connections is for your Client VPN endpoint, we recommend that you specify a size /16 CIDR block or larger.

On the other hand note that you can associate the client VPN endpoint to multiple subnets. The requirement is that each of the subnets needs to belong to the same VPC but different Availability Zones

profile pictureAWS
專家
已回答 2 年前
profile pictureAWS
專家
Toni_S
已審閱 2 年前
0

@Tushar_J Thanks for the response. So given these parameters:

Private Subnet: 10.100.1.0/24
Client CIDR Block: 10.0.0.0/22
Client Network Association: 10.100.0.0/27

Test VPN Address: 10.0.0.6
Test Private Network: 10.100.2.0/24

I'm trying to ping an EC2 instance on my Test Private Network from my Test VPN Address. Here's where I still don't understand:

Test Private Network ACL Allow: [Client CIDR Block] - will not allow access
Test Private Network ACL Allow: [Client Network Association CIDR Block] - will allow access

I'm guessing there is some type of Private IP NAT going on at the Client Network Association?
But I'm confused as to why the NACL works for my Client Network Association CIDR Block and not my Client CIDR block.

Thanks,

Joe

已回答 2 年前
  • Hi Joe, yes that is correct. When traffic from the end user device reaches the Client VPN endpoint, the source IP address of the packets is translated to the Client VPN endpoint network interface's IP address using source NAT. As a result, the target resources have visibility into all the traffic that's sourced with the Client VPN endpoint network interface's IP address.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南