How Can I Force Traffic from Private Subnets to Appear as a Single NAT private IP for a VPN Site-to-Site Connection?
I’m establishing a VPN site-to-site connection with a remote endpoint that only accepts two whitelisted private IP addresses. My goal is to have all outbound traffic from a pool of EC2 instances (in a private subnet) appear as a single, designated private NAT IP that matches one of those whitelisted addresses.
I currently have setup the following: A pool of EC2 instances resides in a private subnet. The private subnet uses a route table that directs all outbound traffic to a private NAT Gateway located in a public subnet. The public subnets have a route table with the following routes: • 0.0.0.0/0 → Internet Gateway (IGW) • 192.168.116.0/24 → Virtual Private Gateway (for the VPN host-to-host connection) The VPN connection has been tested and works when traffic originates from the whitelisted IP (it was tested on the public subnet).
Currently, when EC2 instances in the private subnet send traffic destined for the remote VPN network, the source IP remains the instance’s private IP rather than being NAT’ed to the private NAT Gateway’s IP. Because the remote endpoint only whitelists two specific IP addresses, I need all traffic from these private instances to appear as coming from the private NAT Gateway’s IP.
- Language
- English
- Newest
- Most votes
- Most comments
To achieve your goal of having all outbound traffic from your EC2 instances in the private subnet appear as a single, designated private NAT IP for your VPN Site-to-Site connection, you'll need to make some adjustments to your current setup. Here's how you can modify your configuration:
-
Create a new subnet with a CIDR block that includes the whitelisted private IP address you want to use. This subnet should be in the same VPC as your other resources.
-
Deploy a private NAT gateway in this new subnet. Assign it the specific private IP address that matches one of the whitelisted addresses accepted by your remote VPN endpoint.
-
Update the route table associated with your private subnet (where your EC2 instances reside). Add a route that sends traffic destined for the remote VPN network (192.168.116.0/24 in your case) through the private NAT gateway you just created.
-
In the route table for the subnet containing the private NAT gateway, add a route that directs traffic for the remote VPN network (192.168.116.0/24) to the Virtual Private Gateway.
-
Ensure that your VPN configuration on the AWS side is set up to route traffic from the private NAT gateway's IP through the VPN tunnel.
-
On the remote VPN endpoint, make sure that the routing is configured to send return traffic for the private NAT gateway's IP address back through the VPN tunnel.
With this setup, traffic from your EC2 instances in the private subnet will first go through the private NAT gateway, where it will be source NATed to the specified private IP address. Then, this traffic will be routed through the Virtual Private Gateway and over the VPN tunnel to your remote endpoint.
This approach allows you to control the source IP of the traffic going through the VPN tunnel while maintaining the security benefits of keeping your EC2 instances in a private subnet. Remember to test the configuration thoroughly to ensure all routing and NAT processes are working as expected.
Sources
Route Egress Traffic through NAT Gateway to VPN Gateway | AWS re:Post
EC2 access to internet in private subnet | AWS re:Post
Global IP address by NAT Gateway | AWS re:Post
Relevant content
- asked 3 months ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
my setup mimics this one, i checked from within one of the EC2 and tracked the packet with traceroute. It seems to leave throght the NAT Gateway, but the packet doesnt jump to anywhere else.