VPNs are typically used to make a secure connection between two entities, however, the term VPN has taken on a lot of different meanings over the last several years. Today VPNs aren't just used for secure communication, they are also used as a proxy server to mask who you really are.
For the purposes of this discussion, we're going to discuss VPNs as the original intention which is to provide a secure line of traffic between two points. AWS Support two types of VPNs (Site-to-Site and Client VPNs), that you can set up and configure. Depending on your use case you may choose one or both.
Site-To-Site or Point-to-Point VPNs are typically used to connect an on-premises network to your Amazon Virtual Private Cloud (Amazon VPC). When this type of VPN is set up, it's done at a network level by establishing a tunnel between two VPN services (hardware appliances or servers running a VPN software package like OpenSwan). The two endpoints create and maintain the secure tunnel, while you as a user on the network simply traverse the network without any special configurations. Any traffic that that isn't part of your normal network (say network A), would be inspected and routed somewhere else. In some cases that might be the internet, but if the endpoint matched something on network B, then the router would send those packets to the VPN endpoint and then send them out to network B.
The authentication happens during the tunnel handshaking which in most cases is done with IPSec using a secret key that is shared between the two parties. Just keep in mind that this allows all traffic through the tunnel (it's not limited to specific users)
Authorization for what traffic is allowed through is done with security groups. This is done on a resource or network level and is not bound to a specific user traversing the system.
A client VPN is probably what most end users are used to. This is where your run a client VPN software that connects to a server in the cloud or at a corporate office. Once you are connected you are then able to access the resources on that system, which may be one server or an entire network. Incidentally, this is typically the type that is also used for masking. While you could do this with AWS, if that's your only reason, you should look into the free other VPN solutions that are either free or bundled in with other services like anti-virus packages. For example, BitDefender has a VPN client as part of its anti-virus software package. You may even get one bundled with password manager software like Dashlane.
Companies will usually require a client VPN if a site-to-site does not work for their use case, such as people on the go. If you travel for work, which could be flying across the country, the world, working from a coffee shop and you need access to systems that aren't available through the public internet, then a client VPN is what you'll need.
With a Client VPN, you get more granular with authentication and it is established at the first contact with the AWS Cloud. At this point, it's used to determine if you can even access the cloud through the Client VPN endpoint. If the authentication is successful, then a connection is established a VPN session is created. If it's not, then the client is prevented from establishing a session.
AWS Supports the following two types of client authentication:
User-based is just as it sounds, you have a specific user and a password. You can manage your users with Active Directory Authentication or by implementing a Single Sign-On with SAML-Based Federation Authentication.
Certificate-Based is also referred to as Mutual Authentication, where a Client VPN uses certificates to perform authentication between the client and the server. These are similar to SSH keys which create a digital identification mechanism. You can use OpenVPN to create the server certificate and key as well as the client certificate and key.
Authorization is handled by using security groups. The security group is applied to the Client VPN endpoint, which means it's based on that resource and not the specific user logging in. Based on that security group you can allow traffic to other specific resources. For example, you could allow MySQL traffic by binding the Client VPN endpoints security group as a source to your MySQL security group allowing port 3306 (or whatever port you have configured).