Secure Remote Access with AWS Client VPN Endpoints using CDK

Secure Remote Access with AWS Client VPN Endpoints using CDK

AWS Client VPN endpoint provides a secure solution for connecting remote users to private/internal AWS resources with ease.

Published Feb 9, 2024
The AWS Cloud Development Kit (CDK) allows you to define cloud infrastructure using familiar programming languages. First you need to install the CDK dependencies and create a fresh CDK stack if you don't already have one. More details on AWS documentation.
Before creating the CDK stack for AWS client VPN endpoint, if you don't have a user authentication service such as Azure AD or SAML, you can use mutual authentication type where we will be creating the certificates and the keys ourselves. We can use easy-rsa CLI tool to create the CA, server certificate and key, client certificate and key. Please follow this detailed step by step documentation by AWS and finally you will have the ARN of the ACM certificate.
Now we have the server certificate ARN and below CDK stack will create the required components for AWS client VPN endpoint. Please replace the CDK stack in the lib directory with below code,
After this stack is created, it should be deployed. This will create the Endpoint and necessary infrastructure. If you already have a VPC, remove the VPC code block and add correct VPC details in the references.
cdk deploy
To connect to this VPN endpoint you need to download AWS VPN Client application and add the correct VPN profile. Before adding a new profile you need to have the VPN configuration file which you can download either from the service portal of your vpn endpoint or directly from AWS console. Once you download the .ovpn file and if you used mutual authentication method, you must add client certificate and key in to the same .ovpn file. To complete that please follow this detailed document by AWS. After the configuration file is ready, create a profile and connect to the VPN.
AWS VPN Client
AWS VPN Client
Now you should be able to access any internal service within your VPC(Make sure to configure proper Security Group Rules).
Connected to EC2 with a Private IP
Connected to EC2 with a Private IP
If you have multiple VPCs, you do not need to create multiple Client VPN endpoints. Instead it is possible to create a AWS Transit gateway and connect the VPCs as TGW attachments, then configure proper authorization rules and subnet associations in the existing client VPN endpoint.
In conclusion, AWS Client VPN endpoints offer a secure and scalable solution for enabling remote access to your AWS resources. Leveraging the AWS CDK in TypeScript makes the process of creating and managing these endpoints straightforward and efficient, allowing you to focus on providing seamless connectivity for your remote users.