AWS vpn documentation change
Summary
Enhanced feature descriptions including TLS encryption details, IPv6 support additions, SNAT behavior clarification for IPv6, and new sections for endpoint/traffic IP address types
Security assessment
Changes emphasize existing security features (TLS encryption, authentication methods, granular controls) but do not address specific vulnerabilities. The IPv6 SNAT clarification improves transparency about client IP visibility but doesn't fix a security flaw. New security documentation is added through expanded descriptions of encryption and access controls.
Diff
diff --git a/vpn/latest/clientvpn-admin/what-is.md b/vpn/latest/clientvpn-admin/what-is.md index 695e20253..9d0f1e10f 100644 --- a//vpn/latest/clientvpn-admin/what-is.md +++ b//vpn/latest/clientvpn-admin/what-is.md @@ -30 +30 @@ Client VPN offers the following features and functionality: - * **Secure connections** — It provides a secure TLS connection from any location using the OpenVPN client. + * **Secure connections** — Establishes encrypted TLS connections from any location through the OpenVPN client, ensuring data privacy and integrity. @@ -32 +32 @@ Client VPN offers the following features and functionality: - * **Managed service** — It is an AWS managed service, so it removes the operational burden of deploying and managing a third-party remote access VPN solution. + * **Managed service** — Eliminates the operational burden of deploying and maintaining third-party remote access VPN solutions through complete AWS management. @@ -34 +34 @@ Client VPN offers the following features and functionality: - * **High availability and elasticity** — It automatically scales to the number of users connecting to your AWS resources and on-premises resources. + * **High availability and elasticity** — Dynamically scales to accommodate varying numbers of users connecting to your AWS and on-premises resources without manual intervention. @@ -36 +36 @@ Client VPN offers the following features and functionality: - * **Authentication** — It supports client authentication using Active Directory, federated authentication, and certificate-based authentication. + * **Authentication** — Supports multiple authentication methods including Active Directory integration, federated authentication, and certificate-based authentication for flexible identity management. @@ -38 +38 @@ Client VPN offers the following features and functionality: - * **Granular control** — It enables you to implement custom security controls by defining network-based access rules. These rules can be configured at the granularity of Active Directory groups. You can also implement access control using security groups. + * **Granular control** — Implements precise security controls through network-based access rules configurable at the Active Directory group level and security group-based access control. @@ -40 +40 @@ Client VPN offers the following features and functionality: - * **Ease of use** — It enables you to access your AWS resources and on-premises resources using a single VPN tunnel. + * **Ease of use** — Provides unified access to both AWS and on-premises resources through a single VPN tunnel, simplifying the end-user experience. @@ -42 +42 @@ Client VPN offers the following features and functionality: - * **Manageability** — It enables you to view connection logs, which provide details on client connection attempts. You can also manage active client connections, with the ability to terminate active client connections. + * **Manageability** — Offers comprehensive visibility through detailed connection logs and real-time management capabilities, including the ability to monitor and terminate active client connections when necessary. @@ -44 +44,3 @@ Client VPN offers the following features and functionality: - * **Deep integration** — It integrates with existing AWS services, including AWS Directory Service and Amazon VPC. + * **Deep integration** — Seamlessly integrates with existing AWS services, including AWS Directory Service and Amazon VPC, enhancing your cloud infrastructure's connectivity capabilities. + + * **IPv6 support** — Enables full IPv6 connectivity for Client VPN endpoints, supporting connections to IPv6 resources in your VPCs and from clients on IPv6 networks for modern networking requirements. @@ -81 +83 @@ The end user connecting to the Client VPN endpoint to establish a VPN session. E -An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, `10.2.0.0/16`. +An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. For IPv4 traffic, you choose the client CIDR range, for example, `10.2.0.0/16`. For IPv6 traffic, AWS Client VPN automatically assigns the client CIDR range. @@ -91 +93 @@ AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is -When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address. +When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface. For IPv4 traffic, source network address translation (SNAT) is applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address. For IPv6 traffic, SNAT is not applied, providing enhanced visibility into the connected user's IP address. @@ -102,0 +105,10 @@ Client VPN provides a self-service portal as a web page to end users to download +**Endpoint IP address type** + + +The IP address type for the Client VPN endpoint, which can be IPv4, IPv6, or dual-stack (both IPv4 and IPv6). + +**Traffic IP address type** + + +The IP address type for traffic flowing through the Client VPN endpoint, which can be IPv4, IPv6, or dual-stack (both IPv4 and IPv6). This determines the type of inner traffic (the actual payload or original traffic that is tunneled through the VPN connection), client CIDR ranges, subnet association, routes, and rules per endpoint. + @@ -129 +141 @@ The Client VPN HTTPS Query API gives you programmatic access to Client VPN and A -You are charged for each endpoint association and each VPN connection on an hourly basis. For more information, see [AWS Client VPN pricing](https://aws.amazon.com/vpn/pricing/#AWS_Client_VPN_pricing). +You are charged for each endpoint association and each VPN connection on an hourly basis. There is no additional cost for using IPv6 or dual-stack endpoints; they are charged at the same rate as IPv4 endpoints. For more information, see [AWS Client VPN pricing](https://aws.amazon.com/vpn/pricing/#AWS_Client_VPN_pricing).