import type { Construct, IDependable } from 'constructs'; import type { ClientVpnAuthorizationRuleOptions } from './client-vpn-authorization-rule'; import { ClientVpnAuthorizationRule } from './client-vpn-authorization-rule'; import type { IClientVpnConnectionHandler, IClientVpnEndpoint, TransportProtocol, VpnPort } from './client-vpn-endpoint-types'; import type { ClientVpnRouteOptions } from './client-vpn-route'; import { ClientVpnRoute } from './client-vpn-route'; import { Connections } from './connections'; import type { ClientVpnEndpointReference } from './ec2.generated'; import type { ISecurityGroup } from './security-group'; import type { IVpc, SubnetSelection } from './vpc'; import type { ISAMLProviderRef } from '../../aws-iam'; import * as logs from '../../aws-logs'; import { Resource } from '../../core'; import type { ILogStreamRef } from '../../interfaces/generated/aws-logs-interfaces.generated'; /** * Options for Client Route Enforcement */ export interface ClientRouteEnforcementOptions { /** * Enable or disable Client Route Enforcement. * The state can either be true (enabled) or false (disabled). */ readonly enforced: boolean; } /** * Options for a client VPN endpoint */ export interface ClientVpnEndpointOptions { /** * The IPv4 address range, in CIDR notation, from which to assign client IP * addresses. The address range cannot overlap with the local CIDR of the VPC * in which the associated subnet is located, or the routes that you add manually. * * Changing the address range will replace the Client VPN endpoint. * * The CIDR block should be /22 or greater. */ readonly cidr: string; /** * The ARN of the client certificate for mutual authentication. * * The certificate must be signed by a certificate authority (CA) and it must * be provisioned in AWS Certificate Manager (ACM). * * @default - use user-based authentication */ readonly clientCertificateArn?: string; /** * The type of user-based authentication to use. * * @see https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html * * @default - use mutual authentication */ readonly userBasedAuthentication?: ClientVpnUserBasedAuthentication; /** * Whether to enable connections logging * * @default true */ readonly logging?: boolean; /** * A CloudWatch Logs log group for connection logging * * @default - a new group is created */ readonly logGroup?: logs.ILogGroupRef; /** * A CloudWatch Logs log stream for connection logging * * @default - a new stream is created */ readonly logStream?: ILogStreamRef; /** * The AWS Lambda function used for connection authorization * * The name of the Lambda function must begin with the `AWSClientVPN-` prefix * * @default - no connection handler */ readonly clientConnectionHandler?: IClientVpnConnectionHandler; /** * A brief description of the Client VPN endpoint. * * @default - no description */ readonly description?: string; /** * The security groups to apply to the target network. * * @default - a new security group is created */ readonly securityGroups?: ISecurityGroup[]; /** * Specify whether to enable the self-service portal for the Client VPN endpoint. * * @default true */ readonly selfServicePortal?: boolean; /** * The ARN of the server certificate */ readonly serverCertificateArn: string; /** * Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint. * * @see https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html * * @default false */ readonly splitTunnel?: boolean; /** * The transport protocol to be used by the VPN session. * * @default TransportProtocol.UDP */ readonly transportProtocol?: TransportProtocol; /** * The port number to assign to the Client VPN endpoint for TCP and UDP * traffic. * * @default VpnPort.HTTPS */ readonly port?: VpnPort; /** * Information about the DNS servers to be used for DNS resolution. * * A Client VPN endpoint can have up to two DNS servers. * * @default - use the DNS address configured on the device */ readonly dnsServers?: string[]; /** * Subnets to associate to the client VPN endpoint. * * @default - the VPC default strategy */ readonly vpcSubnets?: SubnetSelection; /** * Whether to authorize all users to the VPC CIDR * * This automatically creates an authorization rule. Set this to `false` and * use `addAuthorizationRule()` to create your own rules instead. * * @default true */ readonly authorizeAllUsersToVpcCidr?: boolean; /** * The maximum VPN session duration time. * * @default ClientVpnSessionTimeout.TWENTY_FOUR_HOURS */ readonly sessionTimeout?: ClientVpnSessionTimeout; /** * Indicates whether the client VPN session is disconnected after the maximum `sessionTimeout` is reached. * * If `true`, users are prompted to reconnect client VPN. * If `false`, client VPN attempts to reconnect automatically. * * @default undefined - AWS Client VPN default is true * @see https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-max-duration.html */ readonly disconnectOnSessionTimeout?: boolean; /** * Customizable text that will be displayed in a banner on AWS provided clients * when a VPN session is established. * * UTF-8 encoded characters only. Maximum of 1400 characters. * * @default - no banner is presented to the client */ readonly clientLoginBanner?: string; /** * Options for Client Route Enforcement. * * Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. * This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. * * @see https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html * * @default undefined - AWS Client VPN default setting is disable client route enforcement */ readonly clientRouteEnforcementOptions?: ClientRouteEnforcementOptions; } /** * Maximum VPN session duration time */ export declare enum ClientVpnSessionTimeout { /** 8 hours */ EIGHT_HOURS = 8, /** 10 hours */ TEN_HOURS = 10, /** 12 hours */ TWELVE_HOURS = 12, /** 24 hours */ TWENTY_FOUR_HOURS = 24 } /** * User-based authentication for a client VPN endpoint */ export declare abstract class ClientVpnUserBasedAuthentication { /** * Active Directory authentication */ static activeDirectory(directoryId: string): ClientVpnUserBasedAuthentication; /** Federated authentication */ static federated(samlProvider: ISAMLProviderRef, selfServiceSamlProvider?: ISAMLProviderRef): ClientVpnUserBasedAuthentication; /** Renders the user based authentication */ abstract render(): any; } /** * Properties for a client VPN endpoint */ export interface ClientVpnEndpointProps extends ClientVpnEndpointOptions { /** * The VPC to connect to. */ readonly vpc: IVpc; } /** * Attributes when importing an existing client VPN endpoint */ export interface ClientVpnEndpointAttributes { /** * The endpoint ID */ readonly endpointId: string; /** * The security groups associated with the endpoint */ readonly securityGroups: ISecurityGroup[]; } /** * A client VPN connection */ export declare class ClientVpnEndpoint extends Resource implements IClientVpnEndpoint { /** * Uniquely identifies this class. */ static readonly PROPERTY_INJECTION_ID: string; /** * Import an existing client VPN endpoint */ static fromEndpointAttributes(scope: Construct, id: string, attrs: ClientVpnEndpointAttributes): IClientVpnEndpoint; readonly endpointId: string; /** * Allows specify security group connections for the endpoint. */ readonly connections: Connections; readonly targetNetworksAssociated: IDependable; private readonly _targetNetworksAssociated; constructor(scope: Construct, id: string, props: ClientVpnEndpointProps); get clientVpnEndpointRef(): ClientVpnEndpointReference; /** * Adds an authorization rule to this endpoint */ addAuthorizationRule(id: string, props: ClientVpnAuthorizationRuleOptions): ClientVpnAuthorizationRule; /** * Adds a route to this endpoint */ addRoute(id: string, props: ClientVpnRouteOptions): ClientVpnRoute; }