Does AWS Verified Access support protocols other than HTTP/HTTPS?

AWS Verified Access primarily supports HTTP/HTTPS traffic. For raw TCP/UDP (like SSH or direct database connections), you must either use AWS Client VPN or Session Manager (SSM).

Is there a way to reduce the high 'per application' cost of AVA?

While there is a cost per application, you can use a single AVA endpoint with an Application Load Balancer (ALB) that handles multiple host-based routing rules to minimize the per-app fee.

How does AVA verify the health of a client device?

AVA integrates natively with CrowdStrike, Jamf, and Tanium via AWS Verified Access Trust Providers, allowing you to permit access only to compliant devices.

What is the main technical difference between AVA and Client VPN?

Client VPN uses OpenVPN/TLS tunnels, whereas AVA uses a proxy-based model with Cedar policies for request-by-request authorization.

Which is more cost-effective for a small team?

AWS Client VPN is significantly cheaper for high volumes of applications, but it lacks the granular 'Zero Trust' policy engine and device posture checks native to AVA.

Can I use Okta as my identity provider for AWS Verified Access?

Yes, you can configure AVA to use any OIDC-compliant provider, such as Okta, LinkedIn, or Azure AD, for user identity.

AWS Verified Access vs Client VPN: The 2026 Guide to ZTNA Design

The traditional Client VPN is a legacy architectural debt that most enterprises are still paying interest on in 2026. While AWS Client VPN remains a functional tool for basic administrative access, the shift toward Zero Trust Network Access (ZTNA) via AWS Verified Access (AVA) represents the only viable path for modern security posture. The choice isn't just about protocols; it's about moving from a "connect-then-authenticate" model to a "continuous-verification" model where the network perimeter ceases to exist.

The Architectural Divergence: Tunnel-Based vs. Proxy-Based

To understand why AWS Verified Access (AVA) is superior for application delivery, we must analyze the packet flow difference. AWS Client VPN is an implementation of OpenVPN. It creates a Virtual Network Interface (VIF) on the client machine, assigns an IP from a CIDR block, and pushes routes into the local routing table. Once the tunnel is up, the user is "on the network." Even with Security Groups, the lateral movement surface area is massive.

AWS Verified Access operates as a managed reverse proxy. It uses the Cedar policy language to evaluate every single request against trust data. There is no tunnel. There is no client IP assigned to the user’s machine. The user interacts with a public endpoint, AVA evaluates the identity and device posture, and if permitted, it proxies the request to the internal Load Balancer (ALB) or ENI. This eliminates the entire concept of "network-level" access, moving the enforcement point to Layer 7.

Integration with Trust Providers: Identity and Device Posture

The true power of AVA lies in its ability to consume "Trust Providers." In a standard Client VPN setup, you typically rely on SAML 2.0 for a one-time authentication event. Once the session is established, that's it. AVA supports continuous evaluation by integrating with Identity Providers (IdP) and Device Management (EDR/UEM) systems.

Identity Providers: Native integration with AWS IAM Identity Center (formerly SSO) or any OIDC-compliant provider like Okta or Azure AD.
Device Trust Providers: Integration with CrowdStrike, Jamf, or Tanium. This allows you to write policies that say: "Allow access to the Production CIDR only if the user is in the 'DevOps' group AND the CrowdStrike security level is 'High'."

// Example Cedar Policy for AVA
permit(
    principal,
    action == "http-request",
    resource
)
when {
    context.identity.groups.contains("Engineers") &&
    context.device.assessment.overall_health_score == "STABLE" &&
    context.device.assessment.jamf.compliance_status == "COMPLIANT"
};

Comparing AWS Client VPN: The Use Case for Legacy

Despite the superiority of ZTNA, AWS Client VPN isn't dead. It remains the necessary evil for protocols that don't play well with Layer 7 proxies. If your engineers need to use thick-client applications that require raw TCP/UDP streams over non-standard ports (think legacy SQL Server management, custom RPC calls, or direct SSH/RDP without a jump box), AVA is a difficult fit because it is primarily optimized for HTTP/HTTPS traffic.

Furthermore, Client VPN allows for "Full Tunnel" configurations, which some highly regulated industries use to force all internet-bound traffic through a centralized inspection point (like a Transit Gateway with AWS Network Firewall). AVA cannot do this; it is inherently a "Split-Tunnel" application access solution.

Cost Analysis: The Hidden Tax of ZTNA

Let's talk hardware and licensing reality. AWS Client VPN pricing is predictable: $0.05 per endpoint association per hour + $0.05 per active client connection per hour. For 100 users active 8 hours a day, you’re looking at roughly $400-$600/month plus data transfer. It’s cheap, but it’s a "dumb" pipe.

AWS Verified Access pricing is more complex and significantly higher at scale. It charges per application ($0.20 per application per hour) and per GB processed ($0.02/GB). If you have 50 internal microservices you want to expose via AVA, the "per application" cost alone is $7,200/month. This is where the architecture requires consolidation. Smart engineers use a "Wildcard" approach or aggregate applications behind a central entry point to manage costs, but even then, AVA is positioned as a premium security product.

AVA vs. Palo Alto Prisma Access: The Enterprise Battle

For organizations already running Palo Alto Firewalls, the question is often: Why use AVA when we have Prisma Access? This comes down to the "Global Secure Access" vision. Prisma Access provides a more mature ZTNA 2.0 framework that handles all ports and protocols, not just web traffic. It also includes integrated DLP and advanced threat prevention that AVA lacks natively.

However, AVA wins on AWS-native integration. If your entire stack is in us-east-1 and eu-west-1, AVA leverages the AWS backbone and IAM ecosystem without the overhead of managing GlobalProtect agents or GRE/IPsec tunnels to a third-party SASE cloud. If you are a Palo Alto house, stay with Prisma for the unified policy engine. If you are cloud-native and moving away from global agents, AVA is the leaner choice.

Deployment Strategy: Migrating to ZTNA in 2026

Don't try to lift-and-shift your entire VPN to AVA in a weekend. The 2026 best practice is a hybrid approach. Use Client VPN for your "Backstage" administrative access (the 5% of users who need raw VPC access) and move 95% of your general staff to AVA for web-based tools (Jira, Internal Portals, HR Apps).

Step 1: The OIDC Glue

Configure AWS IAM Identity Center. This is the prerequisite. Do not attempt to manage local users for AVA. Sync your Google Workspace or Azure AD identities. This ensures that when a user is offboarded from your IdP, their access to every AVA-protected application is revoked in real-time.

Step 2: The Verified Access Instance

Create a Verified Access Instance. This is a global resource that holds your trust providers and groups. Associate it with your target VPCs via Verified Access Endpoints. These endpoints can be Load Balancer-based or Network Interface-based.

Step 3: Defining the Cedar Policies

Start with "Permit All" within the group and narrow down. Use the context.device fields to enforce that only company-managed laptops can connect. This one move eliminates the threat of unmanaged "home PCs" introducing malware into the environment.

The Verdict: AVA is the Future, Client VPN is the Crutch

AWS Client VPN is a legacy tool for a legacy mindset. It treats security as a binary state—you are either "in" or "out." In 2026, that's a recipe for a catastrophic breach. AWS Verified Access, despite its higher cost and complexity in setup, provides the granular, identity-aware, and device-aware controls that modern compliance frameworks (like SOC2 or FedRAMP High) demand. If your traffic is primarily web-based, stop building tunnels. Use a proxy.

For those struggling with the transition from VPC-reachability models to identity-aware proxies, our team at techleague.io provides the hands-on engineering expertise to refactor your AWS perimeter. Reach out to schedule a deep-dive architectural review of your current ingress patterns.