Native attachment fixes AWS Client VPN SNAT gaps
The April 24, 2026 announcement eliminates the dedicated hosting VPC previously required for centralized remote access. This update fundamentally shifts AWS Client VPN from a complex, multi-hop topology to a streamlined native attachment model directly on Transit Gateway. By removing the intermediate VPC layer, organizations can finally discard the operational overhead of managing separate route tables and peering connections that plagued earlier iterations.
Readers will learn the specific architectural differences between the legacy VPC association model and this new direct integration. We dissect the mechanics of end-to-end source IP preservation, detailing how the removal of Source Network Address Translation (SNAT) for IPv4 restores critical user identity visibility for compliance auditing. Unlike the old method where traffic appeared as a single Elastic Network Interface IP, the new architecture ensures destination servers see individual client addresses without obscure workarounds.
Finally, the guide provides a concrete execution plan for migrating existing environments from VPC-based associations to the native hub. As the cloud-managed LAN market expands beyond USD 0.71 billion in 2026 according to Business Research Insights, relying on inefficient, legacy tunneling methods is no longer defensible. This transition is not merely about convenience; it is a necessary evolution for maintaining granular security posture in increasingly hybrid networks where distinguishing individual user traffic remains paramount.
Defining the Native Attachment Architecture for Centralized Remote Access
Native AWS Client VPN Attachment to Transit Gateway Architecture
Amazon Web Services (AWS) announced the native AWS Client VPN attachment on 24 Apr 2026, removing the mandatory hosting VPC. This architectural shift enables direct association with Transit Gateway, functioning as a centralized regional hub for remote access traffic. Previously, operators deployed endpoints within dedicated VPCs, forcing traffic through Elastic Network Interfaces that triggered Source Network Address Translation (SNAT). SNAT obscured individual client identities by presenting a single ENI IP address to downstream security tools. The new model preserves original client IP addresses end-to-end, allowing firewalls to enforce policies based on specific user CIDR blocks rather than aggregated NAT pools. Eliminating the intermediate VPC also reduces route table complexity and removes peering dependencies. However, this design requires the target Transit Gateway to possess an assigned IPv4 CIDR block before attachment configuration proceeds. Operators managing legacy VPC-associated endpoints must re-architect route propagation to avoid blackholing traffic during migration. A strict dependency on hub-level CIDR availability in shared networking accounts creates a notable constraint. Security teams gain granular audit trails compliant with SOC 2 mandates. Network engineers face tighter constraints on hub IP allocation planning. Direct attachment simplifies topology but centralizes failure domains around the regional gateway service.
VPC Association SNAT vs Native Attachment Source IP Preservation
Legacy VPC associations force Source Network Address Translation on all IPv4 client traffic, masking individual user identities behind a single Elastic Network Interface IP address. In the previous architecture, Client VPN endpoints generated ENIs within specific subnets, causing all egress traffic to undergo SNAT before reaching Transit Gateway. Destination servers and security monitoring tools consequently observed only the ENI IP, rendering user-level attribution impossible without external correlation logs. This design flaw forces security teams to rely on aggregated flow data rather than precise source identification during incident response. The new native attachment model eliminates this translation layer entirely, preserving the original client IP across the entire network path. InterLIR analysis confirms that end-to-end IP preservation is mandatory for granular firewall rule enforcement based on user CIDR blocks. Without this capability, operators cannot distinguish between malicious activity from a specific contractor versus a general employee pool sharing the same NAT address.
| Feature | VPC Association Model | Native TGW Attachment |
|---|---|---|
| Source IP | Translated to ENI IP | Preserved End-to-End |
| Visibility | Aggregated (Single IP) | Individual Client IP |
| Audit Trail | Requires Log Correlation | Direct Attribution |
| Architecture | Dedicated Hosting VPC | Direct Hub Connection |
Removing SNAT introduces a strict dependency on non-overlapping CIDR ranges between the client pool and backend resources. If the client CIDR overlaps with any spoke VPC, routing failures occur immediately because Transit Gateway cannot resolve the ambiguous return path. Operators must audit existing address plans before migration to prevent connectivity blackouts. Enhanced visibility demands rigorous IP address management discipline that many legacy environments currently lack.
Centralized Remote Access Deployment for Multi-VPC Environments
Glovo migrated 4,000 remote users to this centralized architecture, validating the model for large-scale multi-VPC environments. Key entities data shows this deployment replaced self-managed OpenVPN on EC2 with managed AWS Client VPN endpoints attached directly to Transit Gateway. The mechanism eliminates the legacy hosting VPC requirement, allowing the gateway to route traffic from diverse virtual private clouds and on-premises networks through a single hub. Security teams gain granular visibility because source IPs remain intact without Source Network Address Translation obscuring user identity. Resource Access Manager enables sharing this hub across multiple AWS accounts, separating network ownership from application team deployments. Centralizing all remote access creates a singular dependency point that demands high-availability design across multiple Availability Zones. A failure in the central Transit Gateway routing table could isolate thousands of concurrent users instantly. This risk necessitates rigorous monitoring of gateway attachment states and automated failover testing. Organizations adopting this topology must balance architectural simplicity against the operational criticality of the central.
according to Direct Transit Gateway Attachment and ENI Elimination Mechanics
AWS Blog, native attachment eliminates the hosting VPC, removing the Elastic Network Interface layer that previously forced Source NAT. The mechanism shifts traffic flow from subnet-bound Elastic Network Interfaces to a direct logical association with Transit Gateway. In the legacy model, packets traversed a dedicated VPC where infrastructure performed address translation, masking the original sender. The new architecture bypasses this intermediate hop entirely. Client traffic enters the gateway with headers intact, allowing downstream firewalls to inspect actual user IPs rather than a shared endpoint address. This structural change enables precise security auditing without complex log correlation. As reported by AWS Technical Considerations, each endpoint reserves two IPs Zone, a fixed overhead independent of client count. Reduced flexibility in subnet-level ACL enforcement occurs since traffic no longer traverses customer-managed subnets before routing. Operators lose the ability to apply granular security groups at the ENI level, relying instead on centralized firewall policies within the hub. This cost favors simplified topology over distributed perimeter controls.
Transit Gateway flow logs capture preserved client IPs, yet mapping these addresses to specific user names requires enabling Connection Logging on the endpoint. Security teams observing traffic patterns in CloudWatch Logs can identify anomalous source IPs from the client CIDR block, yet these entries remain pseudonymous without the supplemental Connection Logging feature. The operational tension arises because enabling Connection Logging incurs additional costs and storage requirements, whereas relying solely on flow logs leaves a gap in identity correlation during incident response. Operators troubleshooting a missing client IP in legacy architectures often found only the shared ENI address, but the current native attachment ensures the true source appears in every log entry. This distinction dictates that while source IP preservation solves the visibility problem for network firewalls, it does not automatically solve the identity problem for audit trails.
| Log Type | Contains Client IP | Contains Username | Primary Use Case |
|---|---|---|---|
| Flow Logs | Yes | No | Traffic analysis |
| Connection Logs | Yes | Yes | User auditing |
Relying exclusively on flow data creates a forensic blind spot where IP addresses cannot be traced back to individual credentials without external DHCP or RADIUS correlation.
MTU Limitations and CIDR Scaling Constraints in Native Attachments
VPN traffic caps at 1500 bytes MTU, contrasting sharply with the 8500-byte limit for standard Transit Gateway VPC attachments. This hard ceiling forces payload fragmentation for large packets, introducing latency that standard jumbo-frame environments avoid entirely. Operators migrating high-throughput workloads must reconfigure application MTU settings or accept the performance penalty of fragmented frames. The architectural gain in visibility comes with a transport efficiency tax that demands packet-size auditing. Per AWS Technical Considerations, concurrent connection capacity scales based on client CIDR range size and the count of Availability Zone associations. Each additional zone association reserves two IPs per endpoint, directly reducing the pool available for active user sessions. A wide CIDR block consumes address space that could otherwise support higher concurrency limits in dense regions. End-to-end IP preservation reduces forensic complexity but increases network-layer sensitivity to packet sizing.
Executing the Migration from VPC-Based Associations
based on Prerequisite CIDR Ranges and IAM Permissions for Native Attachment
AWS, the Client IPv4 CIDR range requires a netmask between /12 and /22 that avoids overlap with existing infrastructure. This strict boundary prevents routing conflicts when the Transit Gateway propagates routes to on-premises networks. Operators must audit current address spaces before assigning the pool, as overlapping ranges cause immediate connectivity failure for remote users. The constraint forces a redesign of legacy addressing schemes in mature environments where private space is fragmented.
According to AWS platform automatically assigns a /56 CIDR block for IPv6 configurations without manual intervention. This automation reduces configuration errors but removes operator control over specific subnet selection within the regional allocation. Security teams relying on IP-based allow-lists must update firewalls dynamically or request the specific assigned block post-deployment. The lack of static IPv6 selection creates a dependency on API queries for consistent policy application across hybrid clouds.
IAM permissions constitute the second critical prerequisite, specifically requiring rights to create Client VPN endpoints and modify Transit Gateway attachments. Without these explicit grants, the console workflow halts during the association phase, leaving the endpoint in a pending state. Organizations using least-privilege models often underestimate the breadth of resources needed for this specific integration pattern.
- Validate IPv4 CIDR availability against all VPC and on-premises subnets.
- Confirm IAM principal has `ec2:CreateClientVpnEndpoint` and `ec2:AssociateTransitGatewayNetworkInterface`.
- Select at least two Availability Zones to satisfy high-availability requirements.
- Apply the configuration via CLI or console to instantiate the logical attachment.
Configuring Authorization Rules and Split-in Console
AWS, users must select Transit Gateway as the association type in the console rather than a VPC to enable native attachment. This initial selection bypasses the legacy requirement for a hosting VPC, fundamentally altering how traffic enters the AWS backbone. Operators define the entry point without intermediate subnet binding. The architecture immediately shifts from edge-NAT to central routing. Downstream security groups now see individual client IPs instead of a shared ENI address. This visibility gain requires precise route management to function correctly.
- Create the endpoint selecting Transit Gateway association and at least two Availability Zones.
- Define authorization rules matching user groups to specific destination CIDR blocks.
- Configure explicit split-tunnel routes since the client installs no default paths.
- Enable route propagation on the gateway for return traffic to the client pool.
According to AWS split-tunnel configurations fail without manual route entries because no routes install on the client by default. Full-tunnel modes only require authorization rules, creating an asymmetric operational burden for mixed deployments. The limitation is that automatic route propagation from the gateway to the client device remains unsupported, forcing administrators to maintain static route lists or rely on dynamic updates via the agent. This manual step introduces a potential failure mode where users connect but cannot reach resources due to missing local routing table entries.
As reported by AWS, selecting at least two Availability Zones ensures high-availability, though the system assigns two automatically if skipped. Operators must verify zone selection manually to guarantee durability against single-zone outages. Relying on automatic assignment risks suboptimal placement in congested infrastructure sectors. The architectural gain is fault tolerance; the risk is hidden dependency on default logic.
According to AWS manual acceptance of shared attachments becomes mandatory if Auto accept remains disabled on the Transit Gateway. This security constraint prevents unauthorized network bridging but introduces a procedural hurdle during migration windows. Teams often overlook this step, causing attachment states to remain pending indefinitely. The trade-off is strict governance versus operational speed.
- Validate Availability Zone distribution across distinct failure domains.
- Inspect Transit Gateway settings for auto-accept status.
- Approve pending attachment requests in the owner account console.
- Confirm route propagation from endpoint to gateway tables.
Skipping verification leaves the hybrid path incomplete despite valid endpoint configurations.
Strategic Criteria for Adopting Native Attachments Over Legacy Models
Defining the Transit Gateway Association Criteria for Client VPN
Transit Gateway association becomes mandatory when architectures demand preserved client source IPs for centralized inspection via AWS Network Firewall. This configuration removes the Source Network Address Translation (SNAT) layer that previously obscured user identity in legacy VPC hosting models. Security teams gain granular audit trails where every log entry maps directly to a specific remote device rather than a shared elastic network interface address. One limitation involves the loss of direct security group attachment to endpoint ENIs, which forces reliance on CIDR-based filtering instead.
Organizations should retain VPC association if operations depend on AWS Cloud WAN integration or strict ENI-level security controls. Per Model Selection and Migration, this legacy path remains valid for environments not requiring end-to-end source IP visibility across multiple VPCs. Operators must weigh the architectural simplicity of a central hub against the specific need for per-interface firewall rules. Direct Transit Gateway attachment simplifies topology but removes the ability to apply security groups directly to the VPN endpoint interfaces.
| Feature | Transit Gateway Association | VPC Association |
|---|---|---|
| Source IP Visibility | Preserved End-to-End | Lost (SNAT Applied) |
| Security Group Scope | CIDR Based Only | ENI Level Controls |
| Inspection Path | Centralized Firewall Ready | Distributed / VPC Local |
| Multi-VPC Access | Native Hub Routing | Peering Required |
Applying Native Attachments for Multi-based on Account and Inspection Scenarios
Research, the migration of 4,000 remote users at Glovo validates scaling native attachments beyond pilot phases. This deployment replaced a self-managed OpenVPN cluster on Amazon EC2, proving that centralized architectures handle enterprise user volumes without fragmentation. Operators gain a single ingress point for multi-account access while retaining original client IPs for granular auditing. The elimination of Source Network Address Translation (SNAT) allows AWS Network Firewall to enforce policies based on individual user identity rather than a shared pool address.
According to Model Selection and Migration, service insertion enhancements from November 30, 2024, optimize routing for attachments with Appliance Mode enabled. These updates refine Availability Zone awareness so inspection traffic follows optimal paths even in complex hub-and-spoke topologies. The architectural benefit is clear: centralized security control without sacrificing path efficiency. However, this model demands rigorous CIDR planning since overlapping ranges between accounts cause immediate routing failures.
Organizations asking should I use Transit Gateway for Client VPN must weigh IP visibility against operational complexity. Unlike VPC association, the native model removes ENI-based security group controls, forcing reliance on firewall rules for micro-segmentation. The constraint is a shift from network-level access control to application-layer filtering.
as reported by Evaluating Attachment Fees and IP Reservation Risks in Native Models
Technical Considerations and Pricing, each Transit Gateway attachment incurs a $0.05 per hour fee, compounding the base endpoint cost for every deployed zone. This recurring charge creates a linear cost escalation that operators often underestimate during multi-region planning phases. The financial impact is immediate upon activation. Budget forecasts must account for this additive hourly rate across all active regions to avoid billing surprises.
Client VPN reserves two Transit Gateway IPs Zone in the AWS Region for each endpoint, consuming valuable address space before a single user connects. A region with five zones locks ten addresses per endpoint, straining tight CIDR allocations in mature environments. The drawback is rigid capacity consumption regardless of actual concurrent user count. Network architects must verify available subnet capacity against this worst-case reservation model prior to deployment.
InterLIR recommends selecting VPC association when security group controls on endpoint ENIs outweigh the need for source IP visibility. Organizations requiring strict perimeter enforcement via security groups will find the native model's reliance on CIDR filtering insufficient for their governance policies.
About
Evgeny Sevastyanov Support Team Leader at InterLIR brings critical operational insight to the complexities of modern cloud networking. While InterLIR specializes in IPv4 address redistribution, Evgeny's daily work managing RIPE database objects and resolving complex connectivity issues for global clients directly correlates with the challenges addressed by AWS Client VPN's native Transit Gateway attachment. His experience troubleshooting hybrid network architectures allows him to understand precisely how eliminating dedicated hosting VPCs simplifies life for network engineers facing IP scarcity. As organizations centralize access to multiple VPCs, the efficiency gains mirror InterLIR's own mission of optimizing network resource availability. Evgeny bridges the gap between raw infrastructure capabilities and practical deployment, ensuring that technical advancements like this native attachment are understood through the lens of real-world support scenarios and architectural cleanliness required for scalable growth.
Conclusion
Scaling native Transit Gateway attachments reveals a hidden friction point: the compounding hourly fees create a linear cost trajectory that erodes the economic viability of distributed architectures as regional footprints expand. While the market for cloud-managed LANs surges toward $0.71 billion by 2027, organizations relying on rigid, per-attachment pricing models will face diminishing returns compared to emerging software-defined alternatives. The operational debt accumulates not just in billing, but in the static IP consumption that locks away critical address space regardless of actual user concurrency. This inefficiency demands a strategic pivot before multi-region sprawl makes remediation cost-prohibitive.
InterLIR advises adopting the native attachment model only for greenfield deployments with abundant CIDR capacity and a strict requirement for end-to-end source IP visibility across complex hubs. For existing estates or security-postures dependent on granular ENI-level controls, the shift to application-layer filtering introduces unacceptable governance gaps. Do not migrate legacy workloads to this architecture without a confirmed three-year budget approval that accounts for exponential cost growth. The window for using this specific topology as a cost-effective standard is closing rapidly.
Start by auditing your current regional Availability Zone count against your reserved IP blocks this week to calculate your immediate exposure to these fixed capacity costs.
Frequently Asked Questions
How does the native attachment change hourly infrastructure costs?
What happens to client IP visibility with the new architecture?
Why was the dedicated hosting VPC previously required for access?
What prerequisite must be met before configuring the native attachment?
How does this update impact the broader cloud-managed LAN market?
