Setting up AWS SSO and AWS Client VPN

AWS Client VPN  is a simple solution that allows users to connect from anywhere to their AWS environments. Single sign-on (SSO) is used widely across organizations to authenticate and authorize their users’ access to enterprise applications and IT services from a single identity provider (IdP). In this article, I’ll share you the process of configuring AWS Client VPN with AWS SSO to both authenticate users and authorize them to use one or more segments of the network using authorization to specific network subnets.

Deploy and Configure AWS SSO

Under the admin account go to AWS SSO service and create two groups:

  • vpn-stage
  • vpn-prod

create a two SSO application called VPN:

  • Add a custom SAML 2.0 application
  • Download AWS SSO SAML metadata file, we will use it a bit later
  • Set session duration: 12 hours
  • Application ACS URL:
  • Application SAML audience: urn:amazon:webservices:clientvpn

Add another application called VPN Self-Service with the same settings, except:

Add attribute mapping for these apps:

  • Subjectuser:subjectemailAddress
  • memberOf${user:groups}unspecified

Assign the groups to these apps.

Create an IAM Identity provider

The IAM identity provider bridges the gap between your identity provider, which in this case is AWS SSO, and IAM which helps you assign the appropriate IAM permissions to users.

  1. Navigate to the IAM page in the AWS console, and click in the left navigation column for “Identity providers”.
  2. Click the blue “Add provider”.
  3. Select “SAML” for the Provider type, and give the provider a name.
  4. Upload the metadata file you downloaded previously when creating the SSO Application

Configure AWS Client VPN

You will need the ARN of the certificate that should already be provisioned in ACM. You will also need to select a CIDR range that is between /12 and /22 that can be used to assign IP addresses to VPN clients.

  1. Click the blue “Create Client VPN Endpoint”
  2. Optional – Name Tag: AWS Client VPN
  3. Optional – Description: Something useful that describes your VPN Client Endpoint
  4. Client IPv4 CIDR: xx.xx.xx.xx/22
  5. Server certificate ARN : Select your ACM Certificate from the dropdown
  6. Authentication Options: Select Use User-based authentication
  7. Select Federated authentication
  8. SAML provider ARN: use the IAM ARN created earlier
  9. Do you want to log the details on client connections?: No
  10. Do you want to enable Client Connect Handler?: No
  11. DNS Server 1 IP address:
  12. DNS Server 1 IP address:
  13. Transport Protocol: UDP
  14. Enable split-tunnel: Check
  15. Enable self-service portal: Check
  16. VPC ID: use your VPC identifier
  17. Security Group IDs: Select the security groups you want to associate with your VPN endpoint
  18. VPN Port: 443

Associating the VPN Endpoint with your VPC

  1. On the VPC Console, click the “Client VPN Endpoints” link, and select your Client VPN Endpoint
  2. Select the Client VPN Endpoint for which you want to create the association
  3. Select the “Associations” tab in the lower window
  4. Click the “Associate” button
  5. Select the VPC for which you are creating the association
  6. Select the subnet you want to associate.
  7. Click the “Associate” button. (This may take 2-5 minutes to show Available/Associated)

creating authorizations

  1. Navigate to the Client VPN console page, and select the “Authorization” tab.
  2. Click the “Authorize Ingress” button
  3. Destination network to enable: xx.xx.xx.xx/24  (CIDR notation for the subnet you are creating an authorization rule)
  4. Grant access to: select Allow access to users in a specific access group
  5. Access group ID*:guid for the group ID obtained from the AWS SSO Console
  6. Description: DBA Access to database subnets
  7. Click the “Add authorization rule”

for peering

  1. Add a route to direct traffic to the peered VPC. for Route destination, enter IPv4 CIDR range of the peered VPC, and for Target VPC Subnet ID, select the subnet you associated with the Client VPN endpoint.
  2. Add an authorization rule to give clients access to peered VPC.  for Destination network, enter IPv4 CIDR range of the peered VPC.

VPN Client Setup

  1. Click File > Manage Profiles
  2. Click the “Add Profile” button
  3. Provide a name for your VPN Connection and select the configuration file you downloaded.
  4. Click “Add Profile”
  • connected to VPN


  1. Once the user connects to the VPN will redirected to a URL
  2. you will see a message “Authentication details received, processing details. You may close this window at any time.”.
  3. The user connected to the VPN.
  4. We have a dedicated subnet attach to a client vpn, all traffic to aws flows through that.
  5. To access the resource in different vpc, we create a peering and add route to client vpn endpoint

Now we able to establish a secure connect between your local machine and aws resources.

View Comments