Map AWS VPC CIDR with single NATed IP address using Private NAT Gateway to communicate over VPN connection.
If your on-premises team can only allow single IP address from AWS VPC you can NAT the traffic over AWS Site to Site VPN. Since NATing is not supported via AWS Site to Site VPN connection, Private NAT Gateway could be utilized to map AWS VPC CIDR to a single IP address.
Architecture:
NAT Gateway Subnet Configuration:
Step 1: Create the subnet which have a route pointing to Transit Gateway.
For Example:
100.0.0.1/32 > Transit Gateway (On-Premises)
Private NAT Gateway Configuration:
Step 2: To create a Private NAT gateway.
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- Choose, NAT Gateways.
- Create NAT Gateway using below steps:
- Specify a name for the NAT gateway.
- Select the subnet which have route to TGW 100.0.0.1/32 > Transit Gateway.
- Select Connectivity type as a Private to create a private NAT.
Step 3: Update the source subnets route table with the route (100.0.0.1/32) pointing to the NAT gateway.
Step 4: When Private NAT Gateway will receive the traffic, it will look for the route and will forward it to Transit Gateway (TGW).
Transit Gateway Configuration:
Step 5: Transit Gateway should have route pointing to two attachments as follows:
- 100.0.0.1/32 --> tgw-attach-vpn (Add Static route if you are using Static VPN)
- 172.168.0.0/16 --> tgw-attach-vpc
Important: Please ensure that you have a Private NAT Gateway Subnet/AZ enabled in VPC Attachment or another subnet that belongs to same AZ where NAT Gateway resides.
Note: This setup is valid for unidirectional traffic flow i.e., from AWS to On-premises.
You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.
If you want to achieve bidirectional traffic flow, NAT Instance can be utilized as well.
For more details, please refer below documents: