AWS Security ChangesHomeSearch

AWS vpn documentation change

Service: vpn · 2026-04-22 · Documentation low

File: vpn/latest/clientvpn-admin/cvpn-getting-started.md

Summary

Added a new initial step 'Choose your endpoint type' to the getting started guide, introducing two endpoint types (VPC subnet association and Transit Gateway association). All subsequent steps were renumbered accordingly, and references to step numbers were updated throughout the document.

Security assessment

The change is a documentation restructuring that adds a new step for endpoint type selection. There is no mention of security vulnerabilities, patches, or incidents. The update is purely procedural, guiding users on choosing between single-VPC and multi-VPC/hybrid network scenarios. No security features are added or modified; the change only reorders existing steps and updates references.

Diff

diff --git a/vpn/latest/clientvpn-admin/cvpn-getting-started.md b/vpn/latest/clientvpn-admin/cvpn-getting-started.md
index e7c0855b7..7965767b8 100644
--- a//vpn/latest/clientvpn-admin/cvpn-getting-started.md
+++ b//vpn/latest/clientvpn-admin/cvpn-getting-started.md
@@ -7 +7 @@
-PrerequisitesStep 1: Generate server and client certificates and keysStep 2: Create a Client VPN endpointStep 3: Associate a target networkStep 4: Add an authorization rule for the VPCStep 5: Provide access to the internetStep 6: Verify security group requirementsStep 7: Download the Client VPN endpoint configuration fileStep 8: Connect to the Client VPN endpoint
+PrerequisitesStep 1: Choose your endpoint typeStep 2: Generate server and client certificates and keysStep 3: Create a Client VPN endpointStep 4: Associate a target networkStep 5: Add an authorization rule for the VPCStep 6: Provide access to the internetStep 7: Verify security group requirementsStep 8: Download the Client VPN endpoint configuration fileStep 9: Connect to the Client VPN endpoint
@@ -30 +30 @@ The following diagram represents the configuration of your VPC and Client VPN en
-  * Step 1: Generate server and client certificates and keys
+  * Step 1: Choose your endpoint type
@@ -32 +32 @@ The following diagram represents the configuration of your VPC and Client VPN en
-  * Step 2: Create a Client VPN endpoint
+  * Step 2: Generate server and client certificates and keys
@@ -34 +34 @@ The following diagram represents the configuration of your VPC and Client VPN en
-  * Step 3: Associate a target network
+  * Step 3: Create a Client VPN endpoint
@@ -36 +36 @@ The following diagram represents the configuration of your VPC and Client VPN en
-  * Step 4: Add an authorization rule for the VPC
+  * Step 4: Associate a target network
@@ -38 +38 @@ The following diagram represents the configuration of your VPC and Client VPN en
-  * Step 5: Provide access to the internet
+  * Step 5: Add an authorization rule for the VPC
@@ -40 +40 @@ The following diagram represents the configuration of your VPC and Client VPN en
-  * Step 6: Verify security group requirements
+  * Step 6: Provide access to the internet
@@ -42 +42 @@ The following diagram represents the configuration of your VPC and Client VPN en
-  * Step 7: Download the Client VPN endpoint configuration file
+  * Step 7: Verify security group requirements
@@ -44 +44,3 @@ The following diagram represents the configuration of your VPC and Client VPN en
-  * Step 8: Connect to the Client VPN endpoint
+  * Step 8: Download the Client VPN endpoint configuration file
+
+  * Step 9: Connect to the Client VPN endpoint
@@ -62 +64,5 @@ Before you begin this getting started tutorial, make sure that you have the foll
-## Step 1: Generate server and client certificates and keys
+## Step 1: Choose your endpoint type
+
+Client VPN supports two endpoint types: VPC subnet association for single-VPC access, and Transit Gateway association for multi-VPC and hybrid network scenarios. This tutorial covers VPC-associated endpoints. For Transit Gateway endpoints, see [Transit Gateway integration with Client VPN](./cvpn-tgw.html).
+
+## Step 2: Generate server and client certificates and keys
@@ -72 +78 @@ The server certificate must be provisioned with or imported into AWS Certificate
-## Step 2: Create a Client VPN endpoint
+## Step 3: Create a Client VPN endpoint
@@ -90 +96 @@ The address range cannot overlap with the target network address range, the VPC
-  5. For **Server certificate ARN** , select the ARN of the server certificate that you generated in Step 1.
+  5. For **Server certificate ARN** , select the ARN of the server certificate that you generated in Step 2.
@@ -111 +117 @@ For more information about the options that you can specify for a Client VPN end
-## Step 3: Associate a target network
+## Step 4: Associate a target network
@@ -145 +151 @@ When you associate the first subnet with the Client VPN endpoint, the following
-## Step 4: Add an authorization rule for the VPC
+## Step 5: Add an authorization rule for the VPC
@@ -168 +174 @@ For clients to access the VPC, there needs to be a route to the VPC in the Clien
-## Step 5: Provide access to the internet
+## Step 6: Provide access to the internet
@@ -195 +201 @@ For this tutorial, we want to grant all users access to the internet and also to
-## Step 6: Verify security group requirements
+## Step 7: Verify security group requirements
@@ -197 +203 @@ For this tutorial, we want to grant all users access to the internet and also to
-In this tutorial, no security groups were specified during the creation of the Client VPN endpoint in Step 2. That means that the default security group for the VPC is automatically applied to the Client VPN endpoint when a target network is associated. As a result, the default security group for the VPC should now be associated with the Client VPN endpoint.
+In this tutorial, no security groups were specified during the creation of the Client VPN endpoint in Step 3. That means that the default security group for the VPC is automatically applied to the Client VPN endpoint when a target network is associated. As a result, the default security group for the VPC should now be associated with the Client VPN endpoint.
@@ -210 +216 @@ For more information, see [Security groups](./client-authorization.html#security
-## Step 7: Download the Client VPN endpoint configuration file
+## Step 8: Download the Client VPN endpoint configuration file
@@ -222 +228 @@ The next step is to download and prepare the Client VPN endpoint configuration f
-  4. Locate the client certificate and key that were generated in Step 1. The client certificate and key can be found in the following locations in the cloned OpenVPN easy-rsa repo: 
+  4. Locate the client certificate and key that were generated in Step 2. The client certificate and key can be found in the following locations in the cloned OpenVPN easy-rsa repo: 
@@ -247 +253 @@ For more information about the Client VPN endpoint configuration file, see [AWS
-## Step 8: Connect to the Client VPN endpoint
+## Step 9: Connect to the Client VPN endpoint