feat(ec2): support for client route enforcement for client VPN endpoint #34405
Conversation
github-actions
bot
added
the
distinguished-contributor
aws-cdk-automation
added
the
pr/needs-community-review
mazyu36
left a comment
mazyu36
left a comment
There was a problem hiding this comment.
Thank you for the contribution.
I've added a nit comment.
Co-authored-by: Yuki Matsuda <[email protected]>
|
@mazyu36 Thank you for your review! I've reflected your suggestions. |
|
LGTM. |
aws-cdk-automation
removed
the
pr/needs-community-review
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
@mazyu36 Thanks always! |
kumsmrit
left a comment
kumsmrit
left a comment
There was a problem hiding this comment.
Thank you for your contribution; I have added few comments.
|
|
||
| Use the `connections` object of the endpoint to allow traffic to other security groups. | ||
|
|
||
| To enable [client route enforcement](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html), set the `clientRouteEnforcement` prop to `true`: |
There was a problem hiding this comment.
Property name should be enableClientRouteEnforcement.
| * | ||
| * @default undefined - AWS Client VPN default setting is false | ||
| */ | ||
| readonly enableClientRouteEnforcement?: boolean; |
There was a problem hiding this comment.
The AWS Client VPN docs note that Client Route Enforcement only works in full-tunnel mode, and will silently have no effect if split-tunnel is enabled (see: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html). To prevent users from creating such configurations that won't work as expected, we could add a validation check:
if (props.enableClientRouteEnforcement && props.splitTunnel) {
throw new ValidationError(
'Client Route Enforcement cannot be enabled when splitTunnel is true',
this
);
}
There was a problem hiding this comment.
Thanks! I have not realized this restriction.
| * @see https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html | ||
| * | ||
| * @default undefined - AWS Client VPN default setting is false | ||
| */ |
There was a problem hiding this comment.
For future extensibility, we can consider using an interface approach instead of direct boolean flag:
interface ClientRouteEnforcementOptions {
readonly enforced: boolean;
}
readonly clientRouteEnforcementOptions?: ClientRouteEnforcementOptions;
This would align with CFN structure (see: aws-properties-ec2-clientvpnendpoint-clientrouteenforcementoptions and would be forward compatible if more properties are added to ClientRouteEnforcementOptions. Moving from a boolean flag to an interface later would be a breaking change.
There was a problem hiding this comment.
Sure. I've updated my implementation to define ClientRouteEnforcemnetOptions.
aws-cdk-automation
removed
the
pr/needs-maintainer-review
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
4 participants
Issue # (if applicable)
None
Reason for this change
Cloudformation supports for configuring client route enforcement feature for client VPN endpoint.
Description of changes
enableClientRouteEnforcementprop toClientVpnEndpointPropsDescribe any new or updated permissions being added
None
Description of how you validated changes
Add both unit and integ tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license