Cloud Init
AWS Client VPN

AWS Client VPN

Still using bastion hosts? Try this!

Cloud Commander's photo
Cloud Commander
·

3 min read

The Client VPN is AWS’s fully managed, flexible VPN service that automatically adjusts based on user demand. Since it is a cloud VPN solution, you don't need to install or manage hardware or software solutions, nor do you need to estimate how many remote users to support at once.

Are you still using Bastion hosts or other similar methods to access your private resources in AWS? AWS Client VPN provides a user-friendly and accessible way to connect to your private services over a secure network.

It's based on an open VPN connection with other VPN clients. Just one edge case: when you use SAML authentication with a VPN client, you have to use only the client provided by AWS to connect to the VPN, as others don’t come with built-in support for SAML authentication.

AWS Client VPN 的運作方式 - AWS Client VPN

It's just very cost-efficient if you see that you won’t need separate bastions for each environment, and you can also provide access to different routes to different users based on the authorization rules you put in. For example, you can limit the traffic coming from one particular team based on the Azure ad team or department claim and only allow them access to resources that are used by that team.

It comes with log management with cloudwatch, which makes it much easier to look at metrics and also all the vpc traffic monitoring toolset, so its pretty easy to track the users connections as well as to monitor and filter the traffic going out.

The cost is also very cheap when you use this at scale, I’ll list the cost and an example below.

💡
In AWS Client VPN you are charged for the number of active client connections per hour and the number of subnets that are associated to Client VPN per hour. Each Client VPN connection uses unique public IPv4 address for the tunnels. You will incur standard public IPv4 address charges on the IPv4 address that will be used for the tunnels. Please visit the public IPv4 address section of the VPC pricing page for more details.

Pricing example: AWS Client VPN

You create an AWS Client VPN endpoint in US East (Ohio) and associate it with one subnet. You then create 10 Client VPN connections to your AWS Client VPN endpoint. These connections are active for one hour.

  • AWS Client VPN endpoint hourly fee: For this AWS Region, you pay $0.10 per hour in AWS Client VPN endpoint hourly fees.

  • AWS Client VPN connection hourly fee: Ten AWS Client VPN connections were active for 1 hour. You pay $0.50 per hour in AWS Client VPN connection fees.

In this scenario, you pay $0.60 per hour for AWS Client VPN, with some additional as discussed above.

AWSvpnvpcSecurity