Class: AWSCDK::EC2::ClientVpnEndpointOptions

Inherits:
Jsii::Struct
  • Object
show all
Defined in:
ec2/client_vpn_endpoint_options.rb

Overview

Options for a client VPN endpoint.

Direct Known Subclasses

ClientVpnEndpointProps

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(cidr:, server_certificate_arn:, authorize_all_users_to_vpc_cidr: nil, client_certificate_arn: nil, client_connection_handler: nil, client_login_banner: nil, client_route_enforcement_options: nil, description: nil, disconnect_on_session_timeout: nil, dns_servers: nil, logging: nil, log_group: nil, log_stream: nil, port: nil, security_groups: nil, self_service_portal: nil, session_timeout: nil, split_tunnel: nil, transport_protocol: nil, user_based_authentication: nil, vpc_subnets: nil) ⇒ ClientVpnEndpointOptions

Returns a new instance of ClientVpnEndpointOptions.

Parameters:

  • cidr (String)

    The IPv4 address range, in CIDR notation, from which to assign client IP addresses.

  • server_certificate_arn (String)

    The ARN of the server certificate.

  • authorize_all_users_to_vpc_cidr (Boolean, nil) (defaults to: nil)

    Whether to authorize all users to the VPC CIDR.

  • client_certificate_arn (String, nil) (defaults to: nil)

    The ARN of the client certificate for mutual authentication.

  • client_connection_handler (AWSCDK::EC2::IClientVpnConnectionHandler, nil) (defaults to: nil)

    The AWS Lambda function used for connection authorization.

  • client_login_banner (String, nil) (defaults to: nil)

    Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.

  • client_route_enforcement_options (AWSCDK::EC2::ClientRouteEnforcementOptions, nil) (defaults to: nil)

    Options for Client Route Enforcement.

  • description (String, nil) (defaults to: nil)

    A brief description of the Client VPN endpoint.

  • disconnect_on_session_timeout (Boolean, nil) (defaults to: nil)

    Indicates whether the client VPN session is disconnected after the maximum sessionTimeout is reached.

  • dns_servers (Array<String>, nil) (defaults to: nil)

    Information about the DNS servers to be used for DNS resolution.

  • logging (Boolean, nil) (defaults to: nil)

    Whether to enable connections logging.

  • log_group (AWSCDK::Interfaces::AWSLogs::ILogGroupRef, nil) (defaults to: nil)

    A CloudWatch Logs log group for connection logging.

  • log_stream (AWSCDK::Interfaces::AWSLogs::ILogStreamRef, nil) (defaults to: nil)

    A CloudWatch Logs log stream for connection logging.

  • port (AWSCDK::EC2::VpnPort, nil) (defaults to: nil)

    The port number to assign to the Client VPN endpoint for TCP and UDP traffic.

  • security_groups (Array<AWSCDK::EC2::ISecurityGroup>, nil) (defaults to: nil)

    The security groups to apply to the target network.

  • self_service_portal (Boolean, nil) (defaults to: nil)

    Specify whether to enable the self-service portal for the Client VPN endpoint.

  • session_timeout (AWSCDK::EC2::ClientVpnSessionTimeout, nil) (defaults to: nil)

    The maximum VPN session duration time.

  • split_tunnel (Boolean, nil) (defaults to: nil)

    Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.

  • transport_protocol (AWSCDK::EC2::TransportProtocol, nil) (defaults to: nil)

    The transport protocol to be used by the VPN session.

  • user_based_authentication (AWSCDK::EC2::ClientVpnUserBasedAuthentication, nil) (defaults to: nil)

    The type of user-based authentication to use.

  • vpc_subnets (AWSCDK::EC2::SubnetSelection, nil) (defaults to: nil)

    Subnets to associate to the client VPN endpoint.



28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'ec2/client_vpn_endpoint_options.rb', line 28

def initialize(cidr:, server_certificate_arn:, authorize_all_users_to_vpc_cidr: nil, client_certificate_arn: nil, client_connection_handler: nil, client_login_banner: nil, client_route_enforcement_options: nil, description: nil, disconnect_on_session_timeout: nil, dns_servers: nil, logging: nil, log_group: nil, log_stream: nil, port: nil, security_groups: nil, self_service_portal: nil, session_timeout: nil, split_tunnel: nil, transport_protocol: nil, user_based_authentication: nil, vpc_subnets: nil)
  @cidr = cidr
  Jsii::Type.check_type(@cidr, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "cidr")
  @server_certificate_arn = server_certificate_arn
  Jsii::Type.check_type(@server_certificate_arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "serverCertificateArn")
  @authorize_all_users_to_vpc_cidr = authorize_all_users_to_vpc_cidr
  Jsii::Type.check_type(@authorize_all_users_to_vpc_cidr, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJib29sZWFuIn0=")), "authorizeAllUsersToVpcCidr") unless @authorize_all_users_to_vpc_cidr.nil?
  @client_certificate_arn = client_certificate_arn
  Jsii::Type.check_type(@client_certificate_arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "clientCertificateArn") unless @client_certificate_arn.nil?
  @client_connection_handler = client_connection_handler
  Jsii::Type.check_type(@client_connection_handler, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfZWMyLklDbGllbnRWcG5Db25uZWN0aW9uSGFuZGxlciJ9")), "clientConnectionHandler") unless @client_connection_handler.nil?
  @client_login_banner = 
  Jsii::Type.check_type(@client_login_banner, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "clientLoginBanner") unless @client_login_banner.nil?
  @client_route_enforcement_options = client_route_enforcement_options.is_a?(Hash) ? ::AWSCDK::EC2::ClientRouteEnforcementOptions.new(**client_route_enforcement_options.transform_keys(&:to_sym)) : client_route_enforcement_options
  Jsii::Type.check_type(@client_route_enforcement_options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfZWMyLkNsaWVudFJvdXRlRW5mb3JjZW1lbnRPcHRpb25zIn0=")), "clientRouteEnforcementOptions") unless @client_route_enforcement_options.nil?
  @description = description
  Jsii::Type.check_type(@description, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "description") unless @description.nil?
  @disconnect_on_session_timeout = disconnect_on_session_timeout
  Jsii::Type.check_type(@disconnect_on_session_timeout, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJib29sZWFuIn0=")), "disconnectOnSessionTimeout") unless @disconnect_on_session_timeout.nil?
  @dns_servers = dns_servers
  Jsii::Type.check_type(@dns_servers, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "dnsServers") unless @dns_servers.nil?
  @logging = logging
  Jsii::Type.check_type(@logging, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJib29sZWFuIn0=")), "logging") unless @logging.nil?
  @log_group = log_group
  Jsii::Type.check_type(@log_group, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5pbnRlcmZhY2VzLmF3c19sb2dzLklMb2dHcm91cFJlZiJ9")), "logGroup") unless @log_group.nil?
  @log_stream = log_stream
  Jsii::Type.check_type(@log_stream, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5pbnRlcmZhY2VzLmF3c19sb2dzLklMb2dTdHJlYW1SZWYifQ==")), "logStream") unless @log_stream.nil?
  @port = port
  Jsii::Type.check_type(@port, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfZWMyLlZwblBvcnQifQ==")), "port") unless @port.nil?
  @security_groups = security_groups
  Jsii::Type.check_type(@security_groups, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7ImZxbiI6ImF3cy1jZGstbGliLmF3c19lYzIuSVNlY3VyaXR5R3JvdXAifSwia2luZCI6ImFycmF5In19")), "securityGroups") unless @security_groups.nil?
  @self_service_portal = self_service_portal
  Jsii::Type.check_type(@self_service_portal, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJib29sZWFuIn0=")), "selfServicePortal") unless @self_service_portal.nil?
  @session_timeout = session_timeout
  Jsii::Type.check_type(@session_timeout, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfZWMyLkNsaWVudFZwblNlc3Npb25UaW1lb3V0In0=")), "sessionTimeout") unless @session_timeout.nil?
  @split_tunnel = split_tunnel
  Jsii::Type.check_type(@split_tunnel, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJib29sZWFuIn0=")), "splitTunnel") unless @split_tunnel.nil?
  @transport_protocol = transport_protocol
  Jsii::Type.check_type(@transport_protocol, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfZWMyLlRyYW5zcG9ydFByb3RvY29sIn0=")), "transportProtocol") unless @transport_protocol.nil?
  @user_based_authentication = user_based_authentication
  Jsii::Type.check_type(@user_based_authentication, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfZWMyLkNsaWVudFZwblVzZXJCYXNlZEF1dGhlbnRpY2F0aW9uIn0=")), "userBasedAuthentication") unless @user_based_authentication.nil?
  @vpc_subnets = vpc_subnets.is_a?(Hash) ? ::AWSCDK::EC2::SubnetSelection.new(**vpc_subnets.transform_keys(&:to_sym)) : vpc_subnets
  Jsii::Type.check_type(@vpc_subnets, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfZWMyLlN1Ym5ldFNlbGVjdGlvbiJ9")), "vpcSubnets") unless @vpc_subnets.nil?
end

Instance Attribute Details

#authorize_all_users_to_vpc_cidrBoolean? (readonly)

Note:

Default: true

Whether to authorize all users to the VPC CIDR.

This automatically creates an authorization rule. Set this to false and use add_authorization_rule() to create your own rules instead.

Returns:

  • (Boolean, nil)


95
96
97
# File 'ec2/client_vpn_endpoint_options.rb', line 95

def authorize_all_users_to_vpc_cidr
  @authorize_all_users_to_vpc_cidr
end

#cidrString (readonly)

The IPv4 address range, in CIDR notation, from which to assign client IP addresses.

The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually.

Changing the address range will replace the Client VPN endpoint.

The CIDR block should be /22 or greater.

Returns:

  • (String)


83
84
85
# File 'ec2/client_vpn_endpoint_options.rb', line 83

def cidr
  @cidr
end

#client_certificate_arnString? (readonly)

Note:

Default: - use user-based authentication

The ARN of the client certificate for mutual authentication.

The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM).

Returns:

  • (String, nil)


103
104
105
# File 'ec2/client_vpn_endpoint_options.rb', line 103

def client_certificate_arn
  @client_certificate_arn
end

#client_connection_handlerAWSCDK::EC2::IClientVpnConnectionHandler? (readonly)

Note:

Default: - no connection handler

The AWS Lambda function used for connection authorization.

The name of the Lambda function must begin with the AWSClientVPN- prefix



110
111
112
# File 'ec2/client_vpn_endpoint_options.rb', line 110

def client_connection_handler
  @client_connection_handler
end

#client_login_bannerString? (readonly)

Note:

Default: - no banner is presented to the client

Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established.

UTF-8 encoded characters only. Maximum of 1400 characters.

Returns:

  • (String, nil)


117
118
119
# File 'ec2/client_vpn_endpoint_options.rb', line 117

def 
  @client_login_banner
end

#client_route_enforcement_optionsAWSCDK::EC2::ClientRouteEnforcementOptions? (readonly)

Note:

Default: undefined - AWS Client VPN default setting is disable client route enforcement

Options for Client Route Enforcement.

Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.



126
127
128
# File 'ec2/client_vpn_endpoint_options.rb', line 126

def client_route_enforcement_options
  @client_route_enforcement_options
end

#descriptionString? (readonly)

Note:

Default: - no description

A brief description of the Client VPN endpoint.

Returns:

  • (String, nil)


131
132
133
# File 'ec2/client_vpn_endpoint_options.rb', line 131

def description
  @description
end

#disconnect_on_session_timeoutBoolean? (readonly)

Note:

Default: undefined - AWS Client VPN default is true

Indicates whether the client VPN session is disconnected after the maximum sessionTimeout is reached.

If true, users are prompted to reconnect client VPN. If false, client VPN attempts to reconnect automatically.



140
141
142
# File 'ec2/client_vpn_endpoint_options.rb', line 140

def disconnect_on_session_timeout
  @disconnect_on_session_timeout
end

#dns_serversArray<String>? (readonly)

Note:

Default: - use the DNS address configured on the device

Information about the DNS servers to be used for DNS resolution.

A Client VPN endpoint can have up to two DNS servers.

Returns:

  • (Array<String>, nil)


147
148
149
# File 'ec2/client_vpn_endpoint_options.rb', line 147

def dns_servers
  @dns_servers
end

#log_groupAWSCDK::Interfaces::AWSLogs::ILogGroupRef? (readonly)

Note:

Default: - a new group is created

A CloudWatch Logs log group for connection logging.



157
158
159
# File 'ec2/client_vpn_endpoint_options.rb', line 157

def log_group
  @log_group
end

#log_streamAWSCDK::Interfaces::AWSLogs::ILogStreamRef? (readonly)

Note:

Default: - a new stream is created

A CloudWatch Logs log stream for connection logging.



162
163
164
# File 'ec2/client_vpn_endpoint_options.rb', line 162

def log_stream
  @log_stream
end

#loggingBoolean? (readonly)

Note:

Default: true

Whether to enable connections logging.

Returns:

  • (Boolean, nil)


152
153
154
# File 'ec2/client_vpn_endpoint_options.rb', line 152

def logging
  @logging
end

#portAWSCDK::EC2::VpnPort? (readonly)

Note:

Default: VpnPort.HTTPS

The port number to assign to the Client VPN endpoint for TCP and UDP traffic.

Returns:



167
168
169
# File 'ec2/client_vpn_endpoint_options.rb', line 167

def port
  @port
end

#security_groupsArray<AWSCDK::EC2::ISecurityGroup>? (readonly)

Note:

Default: - a new security group is created

The security groups to apply to the target network.

Returns:



172
173
174
# File 'ec2/client_vpn_endpoint_options.rb', line 172

def security_groups
  @security_groups
end

#self_service_portalBoolean? (readonly)

Note:

Default: true

Specify whether to enable the self-service portal for the Client VPN endpoint.

Returns:

  • (Boolean, nil)


177
178
179
# File 'ec2/client_vpn_endpoint_options.rb', line 177

def self_service_portal
  @self_service_portal
end

#server_certificate_arnString (readonly)

The ARN of the server certificate.

Returns:

  • (String)


87
88
89
# File 'ec2/client_vpn_endpoint_options.rb', line 87

def server_certificate_arn
  @server_certificate_arn
end

#session_timeoutAWSCDK::EC2::ClientVpnSessionTimeout? (readonly)

Note:

Default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS

The maximum VPN session duration time.



182
183
184
# File 'ec2/client_vpn_endpoint_options.rb', line 182

def session_timeout
  @session_timeout
end

#split_tunnelBoolean? (readonly)

Note:

Default: false

Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.



188
189
190
# File 'ec2/client_vpn_endpoint_options.rb', line 188

def split_tunnel
  @split_tunnel
end

#transport_protocolAWSCDK::EC2::TransportProtocol? (readonly)

Note:

Default: TransportProtocol.UDP

The transport protocol to be used by the VPN session.



193
194
195
# File 'ec2/client_vpn_endpoint_options.rb', line 193

def transport_protocol
  @transport_protocol
end

#user_based_authenticationAWSCDK::EC2::ClientVpnUserBasedAuthentication? (readonly)

Note:

Default: - use mutual authentication

The type of user-based authentication to use.



199
200
201
# File 'ec2/client_vpn_endpoint_options.rb', line 199

def user_based_authentication
  @user_based_authentication
end

#vpc_subnetsAWSCDK::EC2::SubnetSelection? (readonly)

Note:

Default: - the VPC default strategy

Subnets to associate to the client VPN endpoint.



204
205
206
# File 'ec2/client_vpn_endpoint_options.rb', line 204

def vpc_subnets
  @vpc_subnets
end

Class Method Details

.jsii_propertiesObject



206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
# File 'ec2/client_vpn_endpoint_options.rb', line 206

def self.jsii_properties
  {
    :cidr => "cidr",
    :server_certificate_arn => "serverCertificateArn",
    :authorize_all_users_to_vpc_cidr => "authorizeAllUsersToVpcCidr",
    :client_certificate_arn => "clientCertificateArn",
    :client_connection_handler => "clientConnectionHandler",
    :client_login_banner => "clientLoginBanner",
    :client_route_enforcement_options => "clientRouteEnforcementOptions",
    :description => "description",
    :disconnect_on_session_timeout => "disconnectOnSessionTimeout",
    :dns_servers => "dnsServers",
    :logging => "logging",
    :log_group => "logGroup",
    :log_stream => "logStream",
    :port => "port",
    :security_groups => "securityGroups",
    :self_service_portal => "selfServicePortal",
    :session_timeout => "sessionTimeout",
    :split_tunnel => "splitTunnel",
    :transport_protocol => "transportProtocol",
    :user_based_authentication => "userBasedAuthentication",
    :vpc_subnets => "vpcSubnets",
  }
end

Instance Method Details

#to_jsiiObject



232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
# File 'ec2/client_vpn_endpoint_options.rb', line 232

def to_jsii
  result = {}
  result.merge!({
    "cidr" => @cidr,
    "serverCertificateArn" => @server_certificate_arn,
    "authorizeAllUsersToVpcCidr" => @authorize_all_users_to_vpc_cidr,
    "clientCertificateArn" => @client_certificate_arn,
    "clientConnectionHandler" => @client_connection_handler,
    "clientLoginBanner" => @client_login_banner,
    "clientRouteEnforcementOptions" => @client_route_enforcement_options,
    "description" => @description,
    "disconnectOnSessionTimeout" => @disconnect_on_session_timeout,
    "dnsServers" => @dns_servers,
    "logging" => @logging,
    "logGroup" => @log_group,
    "logStream" => @log_stream,
    "port" => @port,
    "securityGroups" => @security_groups,
    "selfServicePortal" => @self_service_portal,
    "sessionTimeout" => @session_timeout,
    "splitTunnel" => @split_tunnel,
    "transportProtocol" => @transport_protocol,
    "userBasedAuthentication" => @user_based_authentication,
    "vpcSubnets" => @vpc_subnets,
  })
  result.compact
end