AWS Security ChangesHomeSearch

AWS vpn documentation change

Service: vpn · 2025-08-28 · Documentation medium

File: vpn/latest/clientvpn-admin/cvpn-working-cre.md

Summary

Expanded Client Route Enforcement documentation to include IPv6 support, updated version requirements, and added IPv6 network exceptions

Security assessment

The change enhances documentation about a security feature (Client Route Enforcement) by adding IPv6 support details. It improves clarity about security controls but does not address a specific vulnerability. The addition of IPv6 network exception lists (like link-local and multicast ranges) shows improved security boundary definitions.

Diff

diff --git a/vpn/latest/clientvpn-admin/cvpn-working-cre.md b/vpn/latest/clientvpn-admin/cvpn-working-cre.md
index 2e7a1472e..a00bf2020 100644
--- a//vpn/latest/clientvpn-admin/cvpn-working-cre.md
+++ b//vpn/latest/clientvpn-admin/cvpn-working-cre.md
@@ -11 +11 @@ Client Route Enforcement helps enforce administrator-defined routes on devices c
-Client Route Enforcement monitors the main routing table of the connected device and ensures that outbound network traffic goes to a VPN tunnel, according to network routes configured in the client VPN endpoint. This includes modifying routing tables on a device if routes conflicting with VPN tunnel are detected.
+Client Route Enforcement monitors the main routing table of the connected device and ensures that outbound network traffic goes to a VPN tunnel, according to network routes configured in the client VPN endpoint. This includes modifying routing tables on a device if routes conflicting with VPN tunnel are detected. Client Route Enforcement supports both IPv4 and IPv6 address families.
@@ -17 +17 @@ Client Route Enforcement only works with the following AWS provided Client VPN v
-  * Windows version 5.2.0 or higher
+  * Windows version 5.2.0 or higher (IPv4 support)
@@ -19 +19 @@ Client Route Enforcement only works with the following AWS provided Client VPN v
-  * macOS version 5.2.0 or higher
+  * macOS version 5.2.0 or higher (IPv4 support)
@@ -21 +21 @@ Client Route Enforcement only works with the following AWS provided Client VPN v
-  * Ubuntu version 5.2.0 or higher
+  * Ubuntu version 5.2.0 or higher (IPv4 support)
@@ -22,0 +23 @@ Client Route Enforcement only works with the following AWS provided Client VPN v
+  * Windows version 5.3.0 or higher (IPv6 support)
@@ -23,0 +25 @@ Client Route Enforcement only works with the following AWS provided Client VPN v
+  * macOS version 5.3.0 or higher (IPv6 support)
@@ -24,0 +27,6 @@ Client Route Enforcement only works with the following AWS provided Client VPN v
+  * Ubuntu version 5.3.0 or higher (IPv6 support)
+
+
+
+
+For dual-stack endpoints, the Client Route Enforcement setting applies to both IPv4 and IPv6 stacks simultaneously. It is not possible to enable Client Route Enforcement for only one stack.
@@ -72,3 +80 @@ Routes added to a non-VPN gateway are excluded from Client Route Enforcement as
-  * The `route-ipv6` directive. 
-
-This directive is not processed, as Client Route Enforcement only supports IPv4 addresses.
+    * Similar to IPv4 routes, IPv6 routes added to a VPN gateway are monitored by Client Route Enforcement, while routes added to a non-VPN gateway are excluded from monitoring.
@@ -81 +87 @@ This directive is not processed, as Client Route Enforcement only supports IPv4
-Routes to the following networks will be ignored by Client Route Enforcement:
+Routes to the following IPv4 networks will be ignored by Client Route Enforcement:
@@ -93,0 +100,11 @@ Routes to the following networks will be ignored by Client Route Enforcement:
+Routes to the following IPv6 networks will be ignored by Client Route Enforcement:
+
+  * `::1/128` — Reserved for loopback 
+
+  * `fe80::/10` — Reserved for link-local addresses 
+
+  * `ff00::/8` — Reserved for multicast 
+
+
+
+
@@ -99,0 +117,2 @@ Routes to the following networks will be ignored by Client Route Enforcement:
+  * [Troubleshoot IPv6 Client Route Enforcement](./cre-ipv6-troubleshooting.html)
+