Native attachment fixes AWS Client VPN SNAT gaps

AWS Client VPN now attaches directly to Transit Gateway, eliminating the dedicated VPC requirement that previously forced Source Network Address Translation.

This update fundamentally restructures remote access by removing the intermediate hosting VPC, allowing enterprises to preserve original client IP addresses while centralizing traffic through a single hub. With hybrid and multi-cloud strategies dominating enterprise architecture in 2026, the legacy model of managing separate endpoints per business unit has become an untenable operational bottleneck. Amazon Web Services, currently holding a 28% share of the worldwide cloud infrastructure market in Q1 2026, launched this capability on 24 Apr 2026 specifically to address the scaling limitations of the old VPC association model.

Readers will learn why the architectural difference between VPC association and the new Transit Gateway model matters for security monitoring and compliance auditing. Finally, the guide details a strategy for executing a zero-downtime migration, ensuring organizations can transition from complex, multi-step configurations to a simplified Client VPN endpoint without disrupting active remote users.

The Role of Native Transit Gateway Attachment in Modern Remote Access

AWS Client VPN Native Transit Gateway Attachment Definition

Announced on 24 Apr 2026, the native attachment allows AWS Client VPN to connect directly to AWS Transit Gateway, cutting out the intermediate hosting VPC. This shift eliminates Source NAT (SNAT). Destination systems now see original client IP addresses instead of a shared endpoint identity. Legacy models forced traffic through a dedicated VPC where Elastic Network Interfaces performed address translation, obscuring user attribution for security logs. The new model preserves end-to-end visibility without requiring SNAT elimination workarounds or complex routing policies. Operators gain a centralized hub topology that simplifies multi-account access and reduces latency by removing an extra network hop.

Security teams gain immediate visibility for compliance auditing because logs now map activity to specific users instead of a pooled NAT address. This capability satisfies strict attribution requirements for frameworks like SOC 2 and HIPAA without additional packet capture tools. Operators must share the gateway via AWS Resource Access Manager when deploying across accounts, adding a cross-account configuration step before establishing the attachment.

Centralized routing creates a new dependency. A misconfigured Transit Gateway route table now blocks all remote access simultaneously. Legacy VPC associations offered isolated failure domains per business unit, whereas this hub model creates a single point of policy enforcement. Enhanced visibility improves threat detection but demands rigorous change management procedures for the central hub.

VPC Association ENI Model Versus Native Transit Gateway Attachment

Legacy VPC association forces source-NAT of client traffic to a single ENI IP address before reaching the destination.

In this older model, traffic from VPN clients undergoes translation at the Elastic Network Interface, causing destination firewalls to log only the gateway address rather than individual user identities. This obscures accountability during incident response and complicates compliance auditing for regulated workloads. The new native attachment reverses this flow.

Operators must share the transit gateway via AWS Resource Access Manager when deploying across account boundaries to enable this direct path. Eliminating the hosting VPC removes subnet management overhead but introduces a strict dependency on transit gateway route table propagation. Security teams gain granular threat detection capabilities previously impossible with pooled identities. Centralized control carries risk; a misconfigured transit gateway policy can now block all remote access simultaneously, whereas isolated VPC endpoints previously contained blast radius.

Elastic Network Interface Creation in VPC Association Models

The VPC association model mandates Client VPN endpoints instantiate ENIs within specific subnets to enable traffic forwarding. This mechanical requirement forces all ingress packets through a Source NAT process before reaching the hub, effectively masking individual user identities behind a single interface address. Organizations frequently deploy isolated endpoints per business unit to achieve segmentation, yet this approach multiplies the ENI count and complicates route management across the fabric.

Traffic flow in this legacy architecture follows a rigid sequence:

1. Client packets arrive at the endpoint and trigger ENI creation in the target subnet.
2. The system rewrites the source IP to the ENI address, discarding original client attribution.
3. Translated traffic traverses the Transit Gateway using propagated routes that lack granular user context.
4. Downstream firewalls log only the shared gateway IP, preventing precise audit trails for compliance mandates.

Security teams lose the ability to correlate suspicious activity with specific remote users because logs reflect the ENI IP rather than the true source. The reliance on intermediate interfaces also introduces latency variables absent in direct attachment models. Using public subnets for these attachments can eliminate the need for NAT Gateways, yet the VPC model locks operators into complex, cost-inefficient topologies. This architectural debt persists until migration to a hub-centric design occurs.

Configuring Split-Tunnel Routes Without Automatic Propagation

Automatic route propagation from Transit Gateway to client devices remains unsupported, forcing operators to manually define split-tunnel paths on endpoints. The Client VPN endpoint pushes routes to the gateway, yet the reverse flow requires explicit configuration on the user device to prevent full-tunnel leakage. Administrators must verify that the Client VPN CIDR and Transit Gateway CIDR do not overlap with existing VPC ranges or on-premises subnets. This manual step introduces a failure mode where missing routes cause silent connectivity drops for specific internal resources.

1. Identify non-overlapping CIDR blocks for the remote network.
2. Manually inject these routes into the OpenVPN client configuration file.
3. Validate connectivity to specific subnets without capturing internet traffic.

Security granularity clashes with deployment speed here. Operators skipping this step risk exposing corporate traffic to public internet paths when private routes fail to match.

Client VPN reserves two Transit Gateway IPs per possible Availability Zone in the region, consuming address space even if fewer zones are actively used. This mechanical allocation creates a hidden capacity cost where a single endpoint in a region with five zones permanently consumes ten IP addresses from the hub CIDR. Operators planning dense multi-tenant environments must account for this fixed overhead before assigning the Transit Gateway CIDR block. The data processing fees applied to traffic traversing the hub compound this structural inefficiency when address space is scarce. Concurrent connection capacity follows the same scaling model as VPC association, dictated by client CIDR range size and the number of Availability Zone associations. Large regions with many potential zones exacerbate the waste, as the reservation applies to all possible zones rather than only attached ones. Network architects should evaluate whether the improved flow hash algorithm justifies the IP address depletion in sparse deployments. Teams must verify available subnet capacity exceeds the theoretical maximum reservation before enabling the native attachment.

Executing a Zero-Downtime Migration to Native Transit Gateway Attachment

Prerequisite CIDR Ranges and Authentication Protocols for Native Attachment

Native attachment requires a Transit Gateway with an assigned IPv4 CIDR block before any endpoint creation proceeds. Dual-stack deployments demand an additional IPv6 CIDR block on the hub to support the automatically assigned /56 client range. Operators must select a client IPv4 netmask between /12 and /22 that avoids overlap with existing VPC or on-premises subnets. This strict non-overlap rule prevents routing ambiguity when the native attachment activates.

Identity verification relies on mutual authentication, Active Directory, or SAML-based federated protocols configured prior to association. Enabling SAML authentication requires mapping identity provider attributes to Client VPN authorization rules for granular access control. The dual-stack configuration process fails if the Transit Gateway lacks the specific IPv6 CIDR assignment, even if IPv4 settings are correct.

1. Assign distinct IPv4 and IPv6 CIDR blocks to the Transit Gateway.
2. Configure SAML or Active Directory connectors in the identity provider console.
3. Validate that the client IPv4 range falls within the /12 to /22 limit.
4. Verify no CIDR overlap exists between client pools and spoke VPCs.

Selecting a /22 client range limits concurrent sessions compared to a /12 pool, creating a tension between address conservation and scale.

Operators must manually configure authorization rules and routes on the new endpoint because paths do not propagate automatically from the hub.

1. Create the Client VPN endpoint in the console, selecting Transit Gateway as the association type to establish a direct client-vpn attachment.
2. Accept the pending attachment in the Transit Gateway owner account if the resource is shared via AWS Resource Access Manager.
3. Define split-tunnel authorization rules to map user groups to specific network ranges, as the system applies no default allow policies.
4. Add static routes pointing to internal CIDRs, ensuring the client IPv4 range avoids overlap with existing VPC subnets.

The migration eliminates the dedicated hosting VPC, allowing direct connectivity between the endpoint and multiple networks without an intermediate hosting VPC. This architectural shift removes the need for Source NAT, preserving original client IPs end-to-end for accurate security monitoring. Real-world implementations, such as Glovo, have integrated OneLogin for centralized authentication to simplify this identity layer.

Operational speed often conflicts with routing safety. Skipping manual route verification causes silent connectivity drops for specific internal resources. Unlike the legacy model where VPC route tables handled propagation, the native attachment pushes routes only one way, leaving the client device dependent on explicit local configuration.

Workload security groups must explicitly allow the new client CIDR range because Transit Gateway association disables ENI-based referencing.

1. Identify the assigned client IPv4 or IPv6 block and update ingress rules on all target application subnets to permit traffic from this specific range.
2. Replace default VPC DNS resolver settings with Route 53 Resolver inbound endpoint IP addresses to ensure split-horizon resolution functions across the network.
3. Verify that at least two Availability Zones are active for the endpoint to maintain high-availability during zone failures.

Operators configuring AWS Network Firewall must adjust policy statements to inspect traffic based on the preserved client IP rather than a static NAT address. The default route propagation simplifies gateway tables but does not modify instance-level firewalls, creating a common blind spot where connectivity fails despite valid routes. This checklist step prevents the specific failure mode where users connect successfully but cannot resolve internal hostnames, a frequent issue in complex multi-account environments.

Strategic Advantages of Centralized Remote Access for Enterprise Networks

Transit Gateway Association Model for Multi-VPC Remote Access

Deploy the native Transit Gateway attachment to modernize remote access. This architecture eliminates the legacy requirement for an intermediate hosting VPC. Traffic flows without Source Network Address Translation, preserving original client IP addresses end-to-end for accurate security monitoring. Operators gain full visibility into user identity, a capability absent in the VPC association model where firewalls see only the endpoint ENI.

Cross-account deployments demand specific coordination before connectivity functions. The central Transit Gateway requires sharing via AWS Resource Access Manager to the account hosting the client attachment before the association completes. This constraint enforces strict ownership boundaries while enabling centralized routing policies. Security teams can now route traffic through AWS Network Firewall for inspection based on individual client CIDR blocks rather than aggregated NAT pools.

Manual route management becomes necessary because automatic propagation from the hub to client devices remains unsupported.

At least 15% of enterprises will shift to private AI deployments on private clouds in 2026, demanding strict client IP visibility that legacy VPC association models cannot provide. The native Transit Gateway attachment eliminates the hosting VPC layer, preventing Source Network Address Translation from obscuring user identity during sensitive model training operations. Glovo successfully migrated 4,000 remote users from self-managed OpenVPN solutions to this managed architecture, integrating OneLogin for centralized authentication without maintaining dedicated infrastructure. This approach aligns with the broader AWS Managed Services market growth, which expanded from a substantial baseline in 2024 toward a significantly larger forecast by 2033.

Operators should use native attachment when remote access spans multiple VPCs and requires end-to-end source IP preservation for compliance auditing. The VPC association model forces traffic through Elastic Network Interfaces, masking individual client addresses behind a single NAT IP that breaks granular security policies.

• Eliminate dedicated hosting VPC costs and reduce route table complexity.
• Preserve original client IPs for accurate AWS Network Firewall logging.
• Support multi-account routing using AWS Resource Access Manager sharing.
• Enable direct connectivity to on-premises networks through the central hub.
• Avoid the latency introduced by intermediate VPC hops in legacy designs.

The limitation remains manual route configuration, as the system does not auto-propagate paths from the hub to the Client VPN endpoint. Security groups must explicitly allow the new client CIDR range since ENI-based referencing is unavailable in this topology.

Direct Transit Gateway attachment solves the visibility problem. Organizations should select the native model when Source Network Address Translation creates audit gaps. The legacy approach forces traffic through an intermediate VPC, masking individual client addresses behind a single ENI IP. This limitation complicates forensic analysis during security incidents. Conversely, the centralized hub architecture maintains original source IPs, enabling precise attribution for SOC 2 or HIPAA requirements. A constraint exists: security groups can no longer reference the endpoint ENI directly, demanding manual updates to allow specific client CIDR ranges. This shift increases initial configuration effort but yields superior long-term visibility. Enterprises with complex hybrid topologies benefit most from this design, as it unifies remote access with on-premises connectivity without peering meshes. InterLIR recommends this topology for environments where audit trails outweigh the operational cost of managing explicit CIDR allow-lists.