AWS vpn documentation change
Summary
Restructured documentation into sections (Networking, Security, DNS, etc.), added details about IPv4-only support, NAT behavior, certificate requirements, and limitations. Moved existing content into new logical groupings.
Security assessment
Added security-related best practices including certificate compliance with RFC 5280 and authentication limitations. However, there's no evidence these changes address a specific disclosed vulnerability or security incident.
Diff
diff --git a/vpn/latest/clientvpn-admin/what-is-best-practices.md b/vpn/latest/clientvpn-admin/what-is-best-practices.md index 517653edb..759f7af83 100644 --- a//vpn/latest/clientvpn-admin/what-is-best-practices.md +++ b//vpn/latest/clientvpn-admin/what-is-best-practices.md @@ -4,0 +5,2 @@ +Networking and bandwidth requirementsSubnet and VPC configurationAuthentication and securityConnection and DNS requirementsLimitations and restrictions + @@ -7 +9,18 @@ -Following are the rules and best practices for using AWS Client VPN +The following sections describe the rules and best practices for using AWS Client VPN: + +###### Topics + + * Networking and bandwidth requirements + + * Subnet and VPC configuration + + * Authentication and security + + * Connection and DNS requirements + + * Limitations and restrictions + + + + +## Networking and bandwidth requirements @@ -18,0 +38,13 @@ Following are the rules and best practices for using AWS Client VPN + * Client VPN supports IPv4 traffic only. See [IPv6 considerations for AWS Client VPN](./ipv6-considerations.html) for details regarding IPv6. + + * Client VPN performs Network Address Translation (NAT) for IP addresses, but it does not perform Port Address Translation (PAAT). When a client connects through Client VPN: + + * The source IP address is translated to the Client VPN endpoint's IP address. + + * The original source port number from the client remains unchanged. + + + + +## Subnet and VPC configuration + @@ -25 +56,0 @@ Following are the rules and best practices for using AWS Client VPN - * Client VPN supports IPv4 traffic only. See [IPv6 considerations for AWS Client VPN](./ipv6-considerations.html) for details regarding IPv6. @@ -27 +57,0 @@ Following are the rules and best practices for using AWS Client VPN - * Client VPN is not Federal Information Processing Standards (FIPS) compliant. @@ -29 +58,0 @@ Following are the rules and best practices for using AWS Client VPN - * The self-service portal is not available for clients that authenticate using mutual authentication. @@ -31 +60 @@ Following are the rules and best practices for using AWS Client VPN - * We do not recommend connecting to a Client VPN endpoint using IP addresses. Because Client VPN is a managed service, you will occasionally see changes in the IP addresses to which the DNS name resolves. In addition, you will see Client VPN network interfaces deleted and recreated in your CloudTrail logs. We recommend connecting to the Client VPN endpoint using the DNS name provided. +## Authentication and security @@ -33,3 +62 @@ Following are the rules and best practices for using AWS Client VPN - * IP forwarding is not currently supported when using the AWS Client VPN desktop application. IP forwarding is supported from other clients. - - * Client VPN does not support multi-Region replication in AWS Managed Microsoft AD. The Client VPN endpoint must be in the same Region as the AWS Managed Microsoft AD resource. + * The self-service portal is not available for clients that authenticate using mutual authentication. @@ -41 +68,10 @@ Following are the rules and best practices for using AWS Client VPN - * You can't establish a VPN connection from a computer if there are multiple users logged into the operating system. + * Certificates used in AWS Client VPN must adhere to [RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile](https://datatracker.ietf.org/doc/html/rfc5280), including the Certificate Extensions specified in section 4.2 of the memo. + + * User names with special characters might cause connection errors. + + + + +## Connection and DNS requirements + + * We do not recommend connecting to a Client VPN endpoint using IP addresses. Because Client VPN is a managed service, you will occasionally see changes in the IP addresses to which the DNS name resolves. In addition, you will see Client VPN network interfaces deleted and recreated in your CloudTrail logs. We recommend connecting to the Client VPN endpoint using the DNS name provided. @@ -44,0 +81,2 @@ Following are the rules and best practices for using AWS Client VPN + * You can use an AWS provided client to connect to multiple concurrent DNS sessions. However, for name resolution to work correctly, the DNS servers of all connections should have synchronized records. + @@ -47 +84,0 @@ Following are the rules and best practices for using AWS Client VPN - * Certificates used in AWS Client VPN must adhere to [RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile](https://datatracker.ietf.org/doc/html/rfc5280), including the Certificate Extensions specified in section 4.2 of the memo. @@ -49 +85,0 @@ Following are the rules and best practices for using AWS Client VPN - * User names with special characters might cause connection errors when using the AWS Client VPN. @@ -51 +87,8 @@ Following are the rules and best practices for using AWS Client VPN - * You can use an AWS provided client to connect to multiple concurrent DNS sessions. However, for name resolution to work correctly, the DNS servers of all connections should have synchronized records. + +## Limitations and restrictions + + * IP forwarding is not currently supported when using the AWS Client VPN desktop application. IP forwarding is supported from other clients. + + * Client VPN does not support multi-Region replication in AWS Managed Microsoft AD. The Client VPN endpoint must be in the same Region as the AWS Managed Microsoft AD resource. + + * You can't establish a VPN connection from a computer if there are multiple users logged into the operating system.