AWS Security ChangesHomeSearch

AWS vpn documentation change

Service: vpn · 2025-08-28 · Documentation low

File: vpn/latest/clientvpn-admin/cvpn-working-endpoint-modify.md

Summary

Added limitations section detailing immutable Client VPN endpoint configurations post-creation and IPv6 restrictions. Updated console modification steps to include dual-stack IP configuration options and IPv6 DNS support.

Security assessment

The change documents limitations related to security-sensitive configurations (certificate, authentication options) being immutable after creation, which helps users understand security constraints. However, there's no evidence of addressing a specific vulnerability. The IPv6 traffic limitation and dual-stack configuration options relate to feature capabilities rather than security fixes.

Diff

diff --git a/vpn/latest/clientvpn-admin/cvpn-working-endpoint-modify.md b/vpn/latest/clientvpn-admin/cvpn-working-endpoint-modify.md
index 41e3244c4..22950d44e 100644
--- a//vpn/latest/clientvpn-admin/cvpn-working-endpoint-modify.md
+++ b//vpn/latest/clientvpn-admin/cvpn-working-endpoint-modify.md
@@ -4,0 +5,2 @@
+LimitationsModify a Client VPN endpoint
+
@@ -9 +11,15 @@ You can modify a Client VPN endpoint by using the Amazon VPC Console or the AWS
-###### Note
+## Limitations
+
+The following limitations apply when modifying an endpoint 
+
+  * Modifications to Client VPN endpoints, including Certificate Revocation List (CRL) changes, will take effect up to 4 hours after a request is accepted by the Client VPN service.
+
+  * You cannot modify the client IPv4 CIDR range, authentication options, client certificate or transport protocol after the Client VPN endpoint has been created.
+
+  * You can modify existing IPv4 endpoints to dual-stack for both endpoint IP and traffic IP types. If you need IPv6-only for endpoint IP and traffic IP, you must create a new endpoint.
+
+  * Client VPN does not support modification of endpoint type (IPv4, IPv6, dual-stack) or traffic type (IPv4, IPv6, dual-stack) after creation.
+
+  * Modifying a Client VPN with a specific combination of endpoint type and traffic type is not supported. You cannot change to any other combination. The endpoint must be deleted and recreated with the desired configuration.
+
+  * Client-to-client communication for IPv6 traffic is not supported.
@@ -11 +26,0 @@ You can modify a Client VPN endpoint by using the Amazon VPC Console or the AWS
-Modifications to Client VPN endpoints, including Certificate Revocation List (CRL) changes, will take effect up to 4 hours after a request is accepted by the Client VPN service.
@@ -13 +27,0 @@ Modifications to Client VPN endpoints, including Certificate Revocation List (CR
-You cannot modify the client IPv4 CIDR range, authentication options, client certificate or transport protocol after the Client VPN endpoint has been created.
@@ -15 +29,6 @@ You cannot modify the client IPv4 CIDR range, authentication options, client cer
-###### To modify a Client VPN endpoint (console)
+
+## Modify a Client VPN endpoint
+
+You can modify a Client VPN endpoint using either the console or the AWS CLI. 
+
+###### To modify a Client VPN endpoint using the console
@@ -25 +44,5 @@ You cannot modify the client IPv4 CIDR range, authentication options, client cer
-  5. For **Server certificate ARN** , specify the ARN for the TLS certificate to be used by the server. Clients use the server certificate to authenticate the Client VPN endpoint to which they are connecting.
+  5. For **Endpoint IP address type** , you can modify an existing IPv4 endpoint to dual-stack. This option is only available for IPv4 endpoints.
+
+  6. For **Traffic IP address type** , you can modify an existing IPv4 endpoint to dual-stack. This option is only available for IPv4 endpoints.
+
+  7. For **Server certificate ARN** , specify the ARN for the TLS certificate to be used by the server. Clients use the server certificate to authenticate the Client VPN endpoint to which they are connecting.
@@ -31 +54 @@ The server certificate must be present in AWS Certificate Manager (ACM) in the r
-  6. Specify whether to log data about client connections using Amazon CloudWatch Logs. For **Enable log details on client connections** , do one of the following:
+  8. Specify whether to log data about client connections using Amazon CloudWatch Logs. For **Enable log details on client connections** , do one of the following:
@@ -37 +60 @@ The server certificate must be present in AWS Certificate Manager (ACM) in the r
-  7. For **Client connect handler** , to activate the [client connect handler](./connection-authorization.html) turn on **Enable client connect handler**. For **Client Connect Handler ARN** , specify the Amazon Resource Name (ARN) of the Lambda function that contains the logic that allows or denies connections.
+  9. For **Client connect handler** , to activate the [client connect handler](./connection-authorization.html) turn on **Enable client connect handler**. For **Client Connect Handler ARN** , specify the Amazon Resource Name (ARN) of the Lambda function that contains the logic that allows or denies connections.
@@ -39 +62 @@ The server certificate must be present in AWS Certificate Manager (ACM) in the r
-  8. Turn on or off **Enable DNS servers**. To use custom DNS servers, for **DNS Server 1 IP address** and **DNS Server 2 IP address** , specify the IP addresses of the DNS servers to use. To use VPC DNS server, for either **DNS Server 1 IP address** or **DNS Server 2 IP address** , specify the IP addresses, and add the VPC DNS server IP address.
+  10. Turn on or off **Enable DNS servers**. To use custom DNS servers, for **DNS Server 1 IP address** and **DNS Server 2 IP address** , specify the IPv4 addresses of the DNS servers to use. For IPv6 or dual-stack endpoints, you can also specify **DNS Server IPv6 1** and **DNS Server IPv6 2** addresses. To use VPC DNS server, for either **DNS Server 1 IP address** or **DNS Server 2 IP address** , specify the IP addresses, and add the VPC DNS server IP address.
@@ -45 +68 @@ Verify that the DNS servers can be reached by clients.
-  9. Turn on or off **Enable split-tunnel**. By default, split-tunnel on a VPN endpoint is off.
+  11. Turn on or off **Enable split-tunnel**. By default, split-tunnel on a VPN endpoint is off.
@@ -47 +70 @@ Verify that the DNS servers can be reached by clients.
-  10. For **VPC ID** , choose the VPC to associate with the Client VPN endpoint. For **Security Group IDs** , choose one or more of the VPC's security groups to apply to the Client VPN endpoint.
+  12. For **VPC ID** , choose the VPC to associate with the Client VPN endpoint. For **Security Group IDs** , choose one or more of the VPC's security groups to apply to the Client VPN endpoint.
@@ -49 +72 @@ Verify that the DNS servers can be reached by clients.
-  11. For **VPN port** , choose the VPN port number. The default is 443.
+  13. For **VPN port** , choose the VPN port number. The default is 443.
@@ -51 +74 @@ Verify that the DNS servers can be reached by clients.
-  12. To generate a [self-service portal URL](./cvpn-self-service-portal.html) for clients, turn on **Enable self-service portal**.
+  14. To generate a [self-service portal URL](./cvpn-self-service-portal.html) for clients, turn on **Enable self-service portal**.
@@ -53 +76 @@ Verify that the DNS servers can be reached by clients.
-  13. For **Session timeout hours** , choose the desired maximum VPN session duration time in hours from the available options, or leave set to default of 24 hours.
+  15. For **Session timeout hours** , choose the desired maximum VPN session duration time in hours from the available options, or leave set to default of 24 hours.
@@ -55 +78 @@ Verify that the DNS servers can be reached by clients.
-  14. For **Disconnect on session timeout** , choose if you want to terminate the session when the maximum session time is reached. Choosing this option requires that users reconnect manually to the endpoint when the session times out; otherwise, Client VPN will automatically try to reconnect.
+  16. For **Disconnect on session timeout** , choose if you want to terminate the session when the maximum session time is reached. Choosing this option requires that users reconnect manually to the endpoint when the session times out; otherwise, Client VPN will automatically try to reconnect.
@@ -57 +80 @@ Verify that the DNS servers can be reached by clients.
-  15. Turn on or off **Enable client login banner**. If you want to use the client login banner, enter the text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters.
+  17. Turn on or off **Enable client login banner**. If you want to use the client login banner, enter the text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters.
@@ -59 +82 @@ Verify that the DNS servers can be reached by clients.
-  16. Choose **Modify Client VPN endpoint**.
+  18. Choose **Modify Client VPN endpoint**.
@@ -64 +87 @@ Verify that the DNS servers can be reached by clients.
-###### To modify a Client VPN endpoint (AWS CLI)
+###### To modify a Client VPN endpoint using the AWS CLI
@@ -67,0 +91,9 @@ Use the [modify-client-vpn-endpoint](https://awscli.amazonaws.com/v2/documentati
+Example for modifying an IPv4 endpoint to dual-stack:
+    
+    
+    aws ec2 modify-client-vpn-endpoint \
+      --client-vpn-endpoint-id cvpn-endpoint-123456789123abcde \
+      --endpoint-ip-address-type "dual-stack" \
+      --traffic-ip-address-type "dual-stack" \
+      --client-cidr-block "172.31.0.0/16"
+