Skip to main content

Decide on Client VPN Options

Context and Problem Statement

You need to remotely access resource that reside in a private VPC. Different teams or individuals need access to different resources.

Solution

Use AWS Client VPN for remote user access.

Considered Options

Each option below can be integrated with AWS SSO.

Option 1: Deploy 1 Client VPN in the Network Account

Our Recommendation is to use Option 1 for customers who do not need fine-grained network access controls. Anyone

on the VPN should have access to all network services via the Transit Gateway.

Ideal for companies where one team will require access to all accounts and there are no plans to introduce access for other teams.

Pros

  • Anyone on the VPN has access to all network services via the Transit Gateway

  • Least expensive to operate

  • No need to switch networks once connected to VPN

Cons

  • Total access to every account

Option 2: Deploy Multiple Client VPNs Depending on Network Segments in the Network Account

Ideal for companies where certain teams require segmented access to multiple accounts. We define these accounts as a segment.

Pros

  • More access control options

Cons

  • More expensive to operate

  • Deciding on how to segment the network can be a complex decision

  • Requires switching VPNs when accessing another account. This is more disruptive to developer workflows

Option 3: Deploy Client VPN(s) Directly in the Accounts Needed

This is a requirement when you know you need very granular access controls with restricting access to certain accounts.

Pros

  • Highest level of access control to each account.

Cons

  • Most expensive to operate and grows as more accounts are added

  • Requires switching VPNs when accessing another account. This is the most disruptive path to developer workflows.

References