AWS Security ChangesHomeSearch

AWS vpn documentation change

Service: vpn · 2025-07-16 · Documentation low

File: vpn/latest/clientvpn-admin/what-is-best-practices.md

Summary

Updated bandwidth details and clarified NAT/PAT behavior for Client VPN connections, including port translation examples for multiple clients

Security assessment

The changes clarify network translation behaviors which are relevant to security configurations, but there's no evidence of addressing a specific vulnerability. The PAT explanation helps users understand connection handling but doesn't introduce new security controls.

Diff

diff --git a/vpn/latest/clientvpn-admin/what-is-best-practices.md b/vpn/latest/clientvpn-admin/what-is-best-practices.md
index 211c3119e..cbe9e68c3 100644
--- a//vpn/latest/clientvpn-admin/what-is-best-practices.md
+++ b//vpn/latest/clientvpn-admin/what-is-best-practices.md
@@ -28 +28 @@ The following sections describe the rules and best practices for using AWS Clien
-  * A minimum bandwidth of 10 Mbps is supported per user connection. The maximum bandwidth per user connection depends on the number of connections being made to the Client VPN endpoint.
+  * AWS Client VPN is a fully-managed service that automatically scales to accommodate additional user connections and bandwidth requirements. Each user connection has a maximum baseline bandwidth of 50 Mbps. You can request an increase through AWS Support if needed. The actual bandwidth experienced by users connecting through a Client VPN endpoint can vary based on several factors. These factors include packet size, traffic composition (TCP/UDP mix), network policies (shaping or throttling) on intermediate networks, internet conditions, application-specific requirements, and the total number of concurrent user connections.
@@ -40 +40 @@ The following sections describe the rules and best practices for using AWS Clien
-  * Client VPN performs Network Address Translation (NAT) for IP addresses, but it does not perform Port Address Translation (PAT). When a client connects through Client VPN:
+  * Client VPN performs Network Address Translation (NAT). When a client connects through Client VPN:
@@ -45,0 +46,14 @@ The following sections describe the rules and best practices for using AWS Clien
+  * Client VPN performs Port Address Translation (PAT) only when concurrent users are connecting to the same target. Port translation is automatic and necessary to support multiple simultaneous connections through the same VPN endpoint.
+
+    * For the source IP translation the source IP address is translated to the Client VPN's IP address.
+
+    * For the source port translation for single client connections, the original source port number might remain unchanged.
+
+    * For the source port translation for multiple clients connecting to the same destination (the same target IP address and port), Client VPN performs port translation to ensure unique connections.
+
+For example, when two clients, client 1 and client 2, connect to the same destination server and port through a Client VPN endpoint:
+
+    * The original port for client 1 — for example, `9999` — might be translated to a different port — for example, port `4306`.
+
+    * The original port for client 2 — for example, `9999` — might be translated to a unique port different form client 1 — for example, port `63922`.
+