AWS Client VPN Access to a Peered VPC

Question

In my AWS infrastructure there are a few VPC.

3 days ago I created Client VPN in VPC1, and successfully configured access to VPC2 according the instruction: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-peered.html.

Today I deleted the second VPC2 and created another one. I configured peering between VPC1 and VPC2, it works, but I can not configure VPN for access to the VPC2 (simplified scheme in the attachment).1

From upper instruction: "Associate the subnet you identified earlier with the Client VPN endpoint that you created."

I go to Client VPN Endpoints > Create Client VPN Association to Target Network, and see: "You can associate subnets in one VPC to a Client VPN Endpoint."

But it contradicts official Amazon docs. And I can choose the VPC2, choose a subnet from this VPC and get an error: "Subnet you're associating is from a different vpc" (Sure! It's exactly what I need and what I do)

Do you have any ideas what is happening? How to avoid such error and make VPN works with new VPC?

Thank you in advance.

Answer 1

I found a reason. It was not because I cannot associate VPC2-subnets with VPN. It's not necessary. As I understood, in AWS association means "VPN endpoint directly connected to this subnet".

Commonly you don't need create special routes between different-Avialability-Zone-subnets. But for VPN it's necessary.

VPN route to VPC2-subnet should be via VPC1-subnet in the same Avialability Zone (AZ). Route to 10.20.100.0/24 will not work via 10.18.10.0/24.

So you must have a VPN-associated subnet in the same AZ and route traffic via this subnet.