AWS Client VPN using Azure IDP
0. Overview
There are three main stages of setting up an AWS client VPN.
In Azure
- Create and configure the Azure Enterprise App registration with a chosen Identifier (Entity ID) in order to retrieve the Federation Metadata XML.
In AWS
- Create a Certificate using ACN if there is not one available already
- Create an Identity Provider in IAM
- Create a Client VPN in VPC
Locally
- Install and configure the AWS VPN Client
1. Create and Configure the Azure Enterprise App
Login to the Azure Portal at 'https://portal.azure.com', then navigate to 'Microsoft Entra ID'.
Navigate to 'Enterprise applications', then select 'New Application'.
Search for and select 'AWS ClientVPN'.
By default the Name will be 'AWS ClientVPN' but you could specify a more descriptive name if needed.
Then select 'Create'.
Once the Enterpise app is created, you will be placed in its 'Overview' page. After each of the following steps, select 'Overview' from the side-bar to return here.
Select '1. Assign users and groups', then 'Add user/group', then add any users that should have access to the VPN.
Select '2. Set up single sign on', then choose 'SAML'.
You will need to edit each of the boxes presented, but it is relatively straight-forward with guideance.
Basic SAML Configuration
By default, the following identifier is auto-filled into the Identifier field 'urn:amazon:webservices:clientvpn'.
This seems to be the only valid identifier so don't change it even though you seem to be able to edit the field.
Select 'Add reply URL', then enter the following: 'https://127.0.0.1:35001'.
For the 'Sign on URL', just entering something like 'https://nowhere' seems to work.
Save.
Attributes & Claims
According to [1], it is necessary to add the following attributes:
| Name | Source Attribute |
|---|---|
| memberOf | user.groups |
| FirstName | user.givenname |
| LastName | user.surname |
To do so, for each attribute, select 'Add new claim', then enter the Name above in the 'Name' field, and the 'Source Attribute' above in the 'Source attribute' field, then select 'Save'.
I suspect that I am entering the 'memberOf' attribute wrong, as the 'user.groups' source attribute doesn't seem to be avaiable...
But it is working, so...
SAML Certificates
Select Edit.
Then change the Signing Option to 'Sign SAML response and assertion'.
Then select Save.
Many hours have been lost by forgetting to change this.
Then download the 'Federation Metadata XML' - this will be uploaded into AWS later when creating the Identity Provider.
Set up {Your VPN Name}
These don't seem to be needed.
2. Create a Certificate using ACN if there is not one available already
Login to AWS and navigate to the ACM (AWS Certificate Manager).
Sorry, I won't cover this in much detail as it is fairly easy.
Just request and validate a certificate if needed.
3. Create an Identity Provider in IAM
Login to AWS and navigate to IAM, then select 'Identity providers' from the side-bar menu.
Select 'Add Provider'.
Select 'SAML'.
Then enter a provider name.
Then select 'Choose file and upload the 'Federation Metadata XML' file you downloaded previously.
Select 'Add Provider'.
You may get a green warning asking you to assign a role. I guess assign a role...
You will be in the Global region.
Navigate to 'VPC' and select your desired region.
Create a Client VPN in VPC
Navigate to 'VPC', then select 'Client VPN endpoints' from the side-bar menu.
In the Details section.
Enter a name.
Select a 'Client IPv4 CIDR' - meaning select an IP range that VPN users will be allocated an IP address from.
Note, despite the drop-down suggestions, it seems you have to use '22' as the mask.
1.0.0.0/22 seems to work
In the Authentication section.
Select the certificate you have choosen to use.
Select 'Use user-based authentication
Select 'Federated authentication'
Select the 'SAML provider ARN' of the Identify Provider added above.
In the Other parameters - optional section.
Select 'TCP' for Transport protocol
Select your desired 'VPC ID'.
Select the 'default VPC security group'.
Select 'Create client VPN endpoint'.
Note, the State will be 'Pending-associate'.
Once created,
the client VPN needs to be associated with a VPN subnet.
Select the VPN
Select 'Associate target network'
Select the desired 'VPC'.
Select the desired subnet to associate
Now might be a good time to check the subnet your EC2 instances are on...
Select 'Associate target network'
Once available, you'll need to some authorisation rules.
To you local instances.
Select 'Add Authorisation rule'.
Specify the Destination network to enable access - i.e. usually the first three numbers of your instances private IP addresses plus '.0/24'.
Specify the Grant access to: - i.e. select 'Allow access to all users'.
Select 'Add authorization rule'.
To the Internet
First create a Route by selecting the 'Route table' tab.
Select 'Create route'.
Specify '0.0.0.0/0' as the Route destination.
Specify a subnet through which to route the traffic.
Select 'Create route'
Then create another authorisation rule.
Select 'Add authorisation rule'.
Specify '0.0.0.0/0' as the Destination network to enable access.
Specify 'Allow access to all users' as Grant access to:.
4. Install and configure the AWS VPN Client
Navigate to the client VPN, then select 'Download client configuration'.
Navigate to the link below [3] and download an appropriate AWS VPN client.
Once installed,
select 'Manage profiles',
then 'Add Profile',
specify an appropriate profile name,
and then select the file you downloaded above.
References
-
Microsoft Entra single sign-on (SSO) integration with AWS ClientVPN
https://learn.microsoft.com/en-us/entra/identity/saas-apps/aws-clientvpn-tutorial -
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication
-
Get started with AWS Client VPN
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html -
AWS Client VPN download
https://aws.amazon.com/vpn/client-vpn-download/