Skip to main content

Cloud Connexa VPN Access

Cloud Connexa (powered by OpenVPN) provides secure VPN (Virtual Private Network) connectivity to your infrastructure and private resources.
This section explains how to configure VPN access with AWS IAM Identity Center (formerly AWS SSO) and how users experience VPN access.

Overview

Users connect to Cloud Connexa VPN through:
  • SSO (Single Sign-On) Integration – Authentication via AWS IAM Identity Center
  • Automatic Provisioning – User accounts are created on first login
  • Group-Based Access – Network access rules are tied to AWS SSO group membership
  • Multi-Platform Clients – VPN clients available for desktop and mobile devices

Configure SSO Access

1

Assign groups to the VPN application

In the AWS Organization Management account:
  1. Go to AWS Identity CenterApplicationsCustomer managed
  2. Open the VPN application
  3. Click Assign users and groups
  4. Switch to the Groups tab
  5. Select the groups that require VPN access
  6. Click Assign
2

Open the Cloud Connexa Admin Panel

To manage VPN groups and access:
  1. From your SSO portal, open the VPN application
  2. This launches the Cloud Connexa administration panel (only available if you are manually assigned as an Administrator)
Cloud Connexa console

Managing VPN Groups

For Existing Groups

If the AWS SSO group already exists in Cloud Connexa:
1

Verify automatic user creation

When a user logs into the VPN application through SSO for the first time:
  1. They are automatically created in Cloud Connexa
  2. They inherit permissions from their mapped SSO group
  3. No additional setup is needed

For New Groups

If you are creating a new AWS SSO group that needs VPN access:
1

Assign the group to the VPN application

Ensure the new group is assigned to the VPN application in AWS Identity Center.
2

Create a VPN group in Cloud Connexa

In the Cloud Connexa admin panel:
  1. Navigate to UsersGroups
  2. Click Add Group
  3. Configure the group settings
Cloud Connexa group creation
3

Create an Access Group

Define which resources the VPN group can reach:
  1. Go to AccessGroups
  2. Click Create Access Group
  3. Configure access:
    • Left panel: Choose the VPN group you created
    • Right panel: Select applications or networks to grant access to
    • Save your configuration
4

Map SSO groups to VPN groups

Link AWS SSO groups with Cloud Connexa groups:
  1. Go to SettingsUser Authentication
  2. Click Edit
  3. Select View Group Mapping
  4. Click Add a Rule
  5. In SAML IdP User Group(s): enter the AWS SSO Group ID
  6. Choose the matching Cloud Connexa Access Group
  7. Click Save

User Experience

Once configured, here’s what VPN access looks like for users:
1

Initial login

  1. User signs in to the AWS SSO portal
  2. Clicks on the VPN application
  3. Gets redirected to Cloud Connexa
  4. Account is automatically created on first login
2

VPN client setup

  1. User downloads the Cloud Connexa VPN client
  2. Configures it with provided connection details
  3. Signs in with their SSO credentials
  4. Establishes a secure VPN connection
3

Ongoing usage

  1. Users connect whenever VPN access is needed
  2. Authentication flows through SSO automatically
  3. Access is based on their group memberships
  4. Network rules are applied from Access Group configurations

Troubleshooting VPN Access

Changes to VPN group mappings can take several minutes to propagate.
Users may need to disconnect and reconnect their VPN client for changes to take effect.
Possible causes:
  • Group not assigned to the VPN application
  • User needs to refresh their SSO session
  • Group membership changes are still propagating
Solutions:
  1. Verify group assignment in AWS Identity Center
  2. Ask the user to log out and back in
  3. Wait 15–30 minutes for propagation
Possible causes:
  • Group mapping misconfigured
  • Access group doesn’t include required resources
  • Incorrect SAML Group ID
Solutions:
  1. Review group mapping in Cloud Connexa settings
  2. Verify Access Group permissions
  3. Confirm AWS SSO Group ID matches Identity Center
Possible causes:
  • Incorrect client configuration
  • Firewall blocking VPN traffic
  • Authentication failures
Solutions:
  1. Double-check client configuration
  2. Verify firewall rules allow VPN traffic
  3. Test login through the Cloud Connexa web console first

VPN Access Best Practices

  • Grant least privilege – only provide network access users really need
  • Separate environments – use different access rules for dev, staging, and production
  • Review regularly – audit VPN user access at scheduled intervals
  • Monitor connections – track VPN connection logs for unusual activity
  • Strengthen sessions – use “Connect Auth: Every time” for higher security
  • Keep documentation updated – clearly record the purpose of each VPN access group