AWS Amazon EC2 Client VPN Route
This page shows how to write Terraform and CloudFormation for Amazon EC2 Client VPN Route and write them securely.
aws_ec2_client_vpn_route (Terraform)
The Client VPN Route in Amazon EC2 can be configured in Terraform with the resource name aws_ec2_client_vpn_route. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ec2_client_vpn_route" "this" {
client_vpn_endpoint_id = var.client_vpn_endpoint_id
description = var.description
destination_cidr_block = var.destination_cidr_block
target_vpc_subnet_id = var.target_vpc_subnet_id
}
resource "aws_ec2_client_vpn_route" "associate_vpn_le0_sn0_route0" {
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.associate_vpn.id
destination_cidr_block = "192.168.8.0/22"
target_vpc_subnet_id = aws_subnet.private_subnet1[0].id
}
Parameters
-
client_vpn_endpoint_idrequired - string -
descriptionoptional - string -
destination_cidr_blockrequired - string -
idoptional computed - string -
originoptional computed - string -
target_vpc_subnet_idrequired - string -
typeoptional computed - string
Explanation in Terraform Registry
Provides additional routes for AWS Client VPN endpoints. For more information on usage, please see the AWS Client VPN Administrator's Guide.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::ClientVpnRoute (CloudFormation)
The ClientVpnRoute in EC2 can be configured in CloudFormation with the resource name AWS::EC2::ClientVpnRoute. The following sections describe 9 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EC2::ClientVpnRoute
Properties:
ClientVpnEndpointId: !Ref ClientVPN
DestinationCidrBlock: 0.0.0.0/0
TargetVpcSubnetId: !Select [ 0, !Ref PrivateSubnetIds ]
Type: AWS::EC2::ClientVpnRoute
Properties:
ClientVpnEndpointId:
Ref: ClientVPNEndpoint
Description: Route for private subnet AZ A
DestinationCidrBlock: 0.0.0.0/0
Type: AWS::EC2::ClientVpnRoute
Properties:
ClientVpnEndpointId: !Ref ClientVpnEndpoint
DestinationCidrBlock: !Ref NewVpcCIDR
TargetVpcSubnetId: !Ref ClientVpnTargetNetworkSubnet1
Type: "AWS::EC2::ClientVpnRoute"
Properties:
# create-clientvpn-cfn.ymlで作成したエンドポイントに対してルートテーブルを追加
ClientVpnEndpointId: !ImportValue "ClientVpnEndpoint"
# 対象のサブネットを指定
TargetVpcSubnetId:
Type: AWS::EC2::ClientVpnRoute
Condition: RoutePeered
DependsOn: ClientVPNAssociation
Properties:
ClientVpnEndpointId: !Ref ClientVPN
Description: Route to peered VPC
"AWS::EC2::ClientVpnRoute": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnroute.html",
"Properties": {
"ClientVpnEndpointId": {
"Required": true,
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnroute.html#cfn-ec2-clientvpnroute-clientvpnendpointid",
"Type": "AWS::EC2::ClientVpnRoute",
"Properties": {
"ClientVpnEndpointId": {
"Ref": "ClientVpnclientVpnEndpoint53D29AAC"
},
"DestinationCidrBlock": {
"resourceType": "AWS::EC2::ClientVpnRoute",
"filePath": "icons/aws/Resource/Res_Networking-and-Content-Delivery/Res_48_Dark/Res_Amazon-Route-53_Route-Table_48_Dark_gen.png"
},
{
"resourceType": "AWS::EC2::PlacementGroup",
"filePath": null
"AWS::EC2::ClientVpnRoute": {
"Type": "AWS::EC2::ClientVpnRoute",
"Properties": {}
},
"AWS::ApiGateway::DocumentationVersion": {
"Type": "AWS::ApiGateway::DocumentationVersion",
Parameters
-
ClientVpnEndpointIdrequired - String -
TargetVpcSubnetIdrequired - String -
Descriptionoptional - String -
DestinationCidrBlockrequired - String
Explanation in CloudFormation Registry
Specifies a network route to add to a Client VPN endpoint. Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks.
A target network association must be created before you can specify a route. If you're setting up all the components of a Client VPN endpoint at the same time, you must use the DependsOn Attribute to declare a dependency on the
AWS::EC2::ClientVpnTargetNetworkAssociationresource.
Frequently asked questions
What is AWS Amazon EC2 Client VPN Route?
AWS Amazon EC2 Client VPN Route is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 Client VPN Route?
For Terraform, the niveklabs/aws and epieye/winslet source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the webscale-oy-open-source/client-vpn-templates, bayustira/TemplateCloudFormationYAML and VerticalRelevance/aws-client-vpn-factory source code examples are useful. See the CloudFormation Example section for further details.
