diff --git a/README.md b/README.md
index 9ce470c..729a728 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,8 @@ The following resources will be created:
 | authentication\_saml\_provider\_arn | (Optional) The ARN of the IAM SAML identity provider if type is federated-authentication. | `any` | `null` | no |
 | authentication\_type | The type of client authentication to be used. Specify certificate-authentication to use certificate-based authentication, directory-service-authentication to use Active Directory authentication, or federated-authentication to use Federated Authentication via SAML 2.0. | `string` | `"certificate-authentication"` | no |
 | cidr | Network CIDR to use for clients | `any` | n/a | yes |
+| client\_connect\_options | Indicates whether client connect options are enabled | `bool` | `false` | no |
+| connection\_authorization\_lambda\_function\_arn | The Amazon Resource Name (ARN) of the Lambda function used for connection authorization. | `any` | `null` | no |
 | dns\_servers | List of DNS Servers | `list(string)` | `[]` | no |
 | enable\_self\_service\_portal | Specify whether to enable the self-service portal for the Client VPN endpoint | `bool` | `false` | no |
 | logs\_retention | Retention in days for CloudWatch Log Group | `number` | `365` | no |
diff --git a/_variables.tf b/_variables.tf
index b567d76..b887373 100644
--- a/_variables.tf
+++ b/_variables.tf
@@ -74,3 +74,14 @@ variable "enable_self_service_portal" {
   default     = false
   description = "Specify whether to enable the self-service portal for the Client VPN endpoint"
 }
+
+variable "client_connect_options" {
+  type = bool
+  default = false
+  description = "Indicates whether client connect options are enabled"  
+}
+
+variable "connection_authorization_lambda_function_arn" {
+  default = null
+  description = "The Amazon Resource Name (ARN) of the Lambda function used for connection authorization."  
+}
\ No newline at end of file
diff --git a/vpn-endpoint.tf b/vpn-endpoint.tf
index 67d77f4..4cbaa54 100644
--- a/vpn-endpoint.tf
+++ b/vpn-endpoint.tf
@@ -20,6 +20,11 @@ resource "aws_ec2_client_vpn_endpoint" "default" {
     cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn.name
   }
 
+  client_connect_options {
+    enabled             = var.client_connect_options
+    lambda_function_arn = var.client_connect_options != true ? null : var.connection_authorization_lambda_function_arn
+  }
+  
   tags = merge(
     var.tags,
     tomap({