AWS Security ChangesHomeSearch

AWS vpn documentation change

Service: vpn · 2025-08-28 · Documentation low

File: vpn/latest/clientvpn-admin/cvpn-working-endpoint-create.md

Summary

Added support for IPv6 and dual-stack configurations in Client VPN endpoint creation. Introduced new 'Endpoint IP address type' and 'Traffic IP address type' parameters, updated DNS server configuration options for IPv6, added CLI examples for IPv4/IPv6/dual-stack setups, and restructured step numbering.

Security assessment

The changes introduce IPv6 support and configuration options but do not address any specific security vulnerabilities. While IPv6 adoption can have security implications, the documentation update focuses on feature expansion rather than patching security issues. The note about automatic IPv6 CIDR assignment helps prevent misconfiguration but is a documentation clarification rather than a security fix.

Diff

diff --git a/vpn/latest/clientvpn-admin/cvpn-working-endpoint-create.md b/vpn/latest/clientvpn-admin/cvpn-working-endpoint-create.md
index 4aa48f4d4..e9a1f1ebe 100644
--- a//vpn/latest/clientvpn-admin/cvpn-working-endpoint-create.md
+++ b//vpn/latest/clientvpn-admin/cvpn-working-endpoint-create.md
@@ -7 +7 @@
-Create a Client VPN endpoint to enable your clients to establish a VPN session using either the Amazon VPC Console or the AWS CLI.
+Create a AWS Client VPN endpoint to enable your clients to establish a VPN session using either the Amazon VPC Console or the AWS CLI.Client VPN supports all combinations of endpoint type (split-tunnel and full-tunnel) with traffic type (IPv4, IPv6, and dual-stack) during initial creation. 
@@ -19 +19,17 @@ Before creating an endpoint, familiarize yourself with the requirements. For mor
-  4. For **Client IPv4 CIDR** , specify an IP address range, in CIDR notation, from which to assign client IP addresses. For example, `10.0.0.0/22`.
+  4. For **Endpoint IP address type** , choose the IP address type for the endpoint:
+
+     * **IPv4** : The endpoint uses IPv4 addresses for outer VPN tunnel traffic.
+
+     * **IPv6** : The endpoint uses IPv6 addresses for outer VPN tunnel traffic.
+
+     * **Dual-stack** : The endpoint uses both IPv4 and IPv6 addresses for outer VPN tunnel traffic.
+
+  5. For **Traffic IP address type** , choose the IP address type for traffic flowing through the endpoint:
+
+     * **IPv4** : The endpoint supports IPv4 traffic only.
+
+     * **IPv6** : The endpoint supports IPv6 traffic only.
+
+     * **Dual-stack** : The endpoint supports both IPv4 and IPv6 traffic.
+
+  6. For **Client IPv4 CIDR** , specify an IP address range, in CIDR notation, from which to assign client IP addresses. For example, `10.0.0.0/22`. This is required if you selected IPv4 or Dual-stack for the Traffic IP address type.
@@ -23 +39 @@ Before creating an endpoint, familiarize yourself with the requirements. For mor
-The address range cannot overlap with the target network address range, the VPC address range or any of the routes that will be associated with the Client VPN endpoint. The client address range must be at minimum /22 and not greater than /12 CIDR block size. You cannot change the client address range after you create the Client VPN endpoint.
+     * The address range cannot overlap with the target network address range, the VPC address range or any of the routes that will be associated with the Client VPN endpoint. The client address range must be at minimum /22 and not greater than /12 CIDR block size. You cannot change the client address range after you create the Client VPN endpoint.
@@ -25 +41,7 @@ The address range cannot overlap with the target network address range, the VPC
-  5. For **Server certificate ARN** , specify the ARN for the TLS certificate to be used by the server. Clients use the server certificate to authenticate the Client VPN endpoint to which they are connecting.
+     * When you select IPv6 as the endpoint IP address type, the Client IPv4 CIDR field is disabled. The Client VPN endpoint allocates client IPv6 addresses from an associated subnet, and you can associate the subnet after creating the endpoint.
+
+###### Note
+
+For IPv6 traffic, you do not need to specify a client CIDR range. Amazon automatically assigns IPv6 CIDR ranges for clients.
+
+  7. For **Server certificate ARN** , specify the ARN for the TLS certificate to be used by the server. Clients use the server certificate to authenticate the Client VPN endpoint to which they are connecting.
@@ -33 +55 @@ For the steps to provision or import a certificate into ACM, see [AWS Certificat
-  6. Specify the authentication method to be used to authenticate clients when they establish a VPN connection. You must select an authentication method.
+  8. Specify the authentication method to be used to authenticate clients when they establish a VPN connection. You must select an authentication method.
@@ -51 +73 @@ If the server and client certificates have been issued by the same Certificate A
-  7. (Optional) For **Connection logging** , specify whether to log data about client connections using Amazon CloudWatch Logs. Turn on **Enable log details on client connections**. For **CloudWatch Logs log group name** , enter the name of the log group to use. For **CloudWatch Logs log stream name** , enter the name of the log stream to use, or leave this option blank to let us create a log stream for you. 
+  9. (Optional) For **Connection logging** , specify whether to log data about client connections using Amazon CloudWatch Logs. Turn on **Enable log details on client connections**. For **CloudWatch Logs log group name** , enter the name of the log group to use. For **CloudWatch Logs log stream name** , enter the name of the log stream to use, or leave this option blank to let us create a log stream for you. 
@@ -53 +75 @@ If the server and client certificates have been issued by the same Certificate A
-  8. (Optional) For **Client Connect Handler** , turn on **Enable client connect handler** to run custom code that allows or denies a new connection to the Client VPN endpoint. For **Client Connect Handler ARN** , specify the Amazon Resource Name (ARN) of the Lambda function that contains the logic that allows or denies connections.
+  10. (Optional) For **Client Connect Handler** , turn on **Enable client connect handler** to run custom code that allows or denies a new connection to the Client VPN endpoint. For **Client Connect Handler ARN** , specify the Amazon Resource Name (ARN) of the Lambda function that contains the logic that allows or denies connections.
@@ -55 +77 @@ If the server and client certificates have been issued by the same Certificate A
-  9. (Optional) Specify which DNS servers to use for DNS resolution. To use custom DNS servers, for **DNS Server 1 IP address** and **DNS Server 2 IP address** , specify the IP addresses of the DNS servers to use. To use VPC DNS server, for either **DNS Server 1 IP address** or **DNS Server 2 IP address** , specify the IP addresses, and add the VPC DNS server IP address.
+  11. (Optional) Specify which DNS servers to use for DNS resolution. To use custom DNS servers, for **DNS Server 1 IP address** and **DNS Server 2 IP address** , specify the IPv4 addresses of the DNS servers to use. For IPv6 or dual-stack endpoints, you can also specify **DNS Server IPv6 1** and **DNS Server IPv6 2** addresses. To use VPC DNS server, for either **DNS Server 1 IP address** or **DNS Server 2 IP address** , specify the IP addresses, and add the VPC DNS server IP address.
@@ -61 +83 @@ Verify that the DNS servers can be reached by clients.
-  10. (Optional) By default, the Client VPN endpoint uses the `UDP` transport protocol. To use the `TCP` transport protocol instead, for **Transport Protocol** , select **TCP**.
+  12. (Optional) By default, the Client VPN endpoint uses the `UDP` transport protocol. To use the `TCP` transport protocol instead, for **Transport Protocol** , select **TCP**.
@@ -67 +89 @@ UDP typically offers better performance than TCP. You cannot change the transpor
-  11. (Optional) To have the endpoint be a split-tunnel Client VPN endpoint, turn on **Enable split-tunnel**. By default, split-tunnel on a Client VPN endpoint is disabled.
+  13. (Optional) To have the endpoint be a split-tunnel Client VPN endpoint, turn on **Enable split-tunnel**. By default, split-tunnel on a Client VPN endpoint is disabled.
@@ -69 +91 @@ UDP typically offers better performance than TCP. You cannot change the transpor
-  12. (Optional) For **VPC ID** , choose the VPC to associate with the Client VPN endpoint. For **Security Group IDs** , choose one or more of the VPC's security groups to apply to the Client VPN endpoint.
+  14. (Optional) For **VPC ID** , choose the VPC to associate with the Client VPN endpoint. For **Security Group IDs** , choose one or more of the VPC's security groups to apply to the Client VPN endpoint.
@@ -71 +93 @@ UDP typically offers better performance than TCP. You cannot change the transpor
-  13. (Optional) For **VPN port** , choose the VPN port number. The default is 443.
+  15. (Optional) For **VPN port** , choose the VPN port number. The default is 443.
@@ -73 +95 @@ UDP typically offers better performance than TCP. You cannot change the transpor
-  14. (Optional) To generate a [self-service portal URL](./cvpn-self-service-portal.html) for clients, turn on **Enable self-service portal**.
+  16. (Optional) To generate a [self-service portal URL](./cvpn-self-service-portal.html) for clients, turn on **Enable self-service portal**.
@@ -75 +97 @@ UDP typically offers better performance than TCP. You cannot change the transpor
-  15. (Optional) For **Session timeout hours** , choose the desired maximum VPN session duration time in hours from the available options, or leave set to default of 24 hours.
+  17. (Optional) For **Session timeout hours** , choose the desired maximum VPN session duration time in hours from the available options, or leave set to default of 24 hours.
@@ -77 +99 @@ UDP typically offers better performance than TCP. You cannot change the transpor
-  16. (Optional) For **Disconnect on session timeout** , choose if you want to terminate the session when the maximum session time is reached. Choosing this option requires that users reconnect manually to the endpoint when the session times out; otherwise, Client VPN will automatically try to reconnect.
+  18. (Optional) For **Disconnect on session timeout** , choose if you want to terminate the session when the maximum session time is reached. Choosing this option requires that users reconnect manually to the endpoint when the session times out; otherwise, Client VPN will automatically try to reconnect.
@@ -79 +101 @@ UDP typically offers better performance than TCP. You cannot change the transpor
-  17. (Optional) Specify whether to enable client login banner text. Turn on **Enable client login banner**. For **Client login banner text** , enter the text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters.
+  19. (Optional) Specify whether to enable client login banner text. Turn on **Enable client login banner**. For **Client login banner text** , enter the text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters.
@@ -81 +103 @@ UDP typically offers better performance than TCP. You cannot change the transpor
-  18. Choose **Create Client VPN endpoint**.
+  20. Choose **Create Client VPN endpoint**.
@@ -102,0 +125,30 @@ Use the [create-client-vpn-endpoint](https://awscli.amazonaws.com/v2/documentati
+Example for creating an IPv4 endpoint:
+    
+    
+    aws ec2 create-client-vpn-endpoint \
+      --client-cidr-block "172.31.0.0/16" \
+      --server-certificate-arn arn:aws:acm:ap-south-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-11111EXAMPLE \
+      --authentication-options Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=arn:aws:acm:ap-south-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-22222EXAMPLE} \
+      --connection-log-options Enabled=false
+
+Example for creating an IPv6 endpoint:
+    
+    
+    aws ec2 create-client-vpn-endpoint \
+      --endpoint-ip-address-type "ipv6" \
+      --traffic-ip-address-type "ipv6" \
+      --server-certificate-arn arn:aws:acm:ap-south-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-11111EXAMPLE \
+      --authentication-options Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=arn:aws:acm:ap-south-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-22222EXAMPLE} \
+      --connection-log-options Enabled=false
+
+Example for creating a dual-stack endpoint:
+    
+    
+    aws ec2 create-client-vpn-endpoint \
+      --endpoint-ip-address-type "dual-stack" \
+      --traffic-ip-address-type "dual-stack" \
+      --client-cidr-block "172.31.0.0/16" \
+      --server-certificate-arn arn:aws:acm:ap-south-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-11111EXAMPLE \
+      --authentication-options Type=certificate-authentication,MutualAuthentication={ClientRootCertificateChainArn=arn:aws:acm:ap-south-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-22222EXAMPLE} \
+      --connection-log-options Enabled=false
+