How to setup a NAT Gateway together with a VPN

0

DISCLAIMER: I am still a noob in this area so forgive me in advance for any wrong concept I may have.

A little bit of context of what I am trying to do...right now, we have an in-house big server with VMWare Workstation Pro and many VMs. Aside from that we have a hardware VPN. The VMWare VMs are all for internal usage (they are not accesses from outside) and the only way we connect to them is via the VPN and local IPs.

We are now trying to move to AWS. For example, each VMWare VM will be replaced by a EC2 instance, etc. So far, I have a VPN setup following this guide. I can connect to the VPN from my Mac and everything works perfectly (I can access each EC2 instance with their private IPs etc). Additionally, I can confirm also that both, my Mac as well as EC2 instances do have access to internet while connected to the VPN.

However, for this to work, all my EC2 instances need to have a public v4 IP. And I don't really want them to have a public IP for these EC2 instances because of security reasons. I don't want these machines to be "seen" from outside as they are completely for internal usage and only accessed from the VPN. For example, as for right now, with the public IP I can still SSH/ping/whatever them. That's what I don't want.

My first experiment was to remove the public IPs from the EC2 instance. This bring the security aspect I want and I can access the machine with the private IP and the VPN. However.... the EC2 instance cannot connect to Internet when I do this.

From what I have been reading, I need a NAT Gateway. The problem is that I am not sure how to setup this in combination with the VPN setup I have.

Currently, this is what I have:

  • I have a VPC with IPv4 CIDR 172.31.0.0/16 and 3 public subnets, one for each AZ (Availability Zone). That is, us-east-2a (172.31.0.0/20), us-east-2b (172.31.16.0/20) and us-east-2c (172.31.32.0/20).
  • All EC2 instances are created within the us-east-2a (172.31.0.0/20) subnet.
  • The VPC has an internet gateway attached.
  • I have a Client VPN endpoints with Client CIDR 10.0.0.0/22 and it has one of the subnets associated as "Target network associations". The one with us-east-2a (172.31.0.0/20).
  • The endpoint has a security group which does have a Outbound rules to allow all traffic.
  • The endpoint has a "Authorization rules" to allow all the VPC and Destination CIDR 172.31.0.0/16 and another rule for destination 0.0.0.0/0.
  • The endpoint has a "Route table" to allow all traffic for the selected subnet (172.31.0.0/20)

Any help would be appreciated.

3 Answers
2
Accepted Answer

Create a NAT Gateway in each AZ

  • us-east-2a (172.31.0.0/20) (will call this NATGW a)
  • us-east-2b (172.31.16.0/20) (will call this NATGW b)
  • us-east-2c (172.31.32.0/20) (will call this NATGW c)

These 3 can share the same route table. Make sure 0.0.0.0/0 routes to the IGW (Internet Gateway) It would look like this

0.0.0.0/0 route too IGWXXX
172.31.0.0/16 local

Create 3 private subnets, one in each AZ. Now the CIDR Range depends on you, how many "Host" ip addresses you require in each Subnet. To point out your /20 for public is massive... For argument sake, i will specify an example

  • us-east-2a (172.31.48.0/24) (will call this private a)
  • us-east-2b (172.31.49.0/24) (will call this private b)
  • us-east-2c (172.31.50.0/24) (will call this private c)

Create a new route table and assisoicate it with private a subnet. It should look like this

0.0.0.0/0 route to NATGW a
172.31.0.0/16 local

Create a new route table and assisoicate it with private b subnet. It should look like this

0.0.0.0/0 route to NATGW b
172.31.0.0/16 local

Create a new route table and assisoicate it with private c subnet. It should look like this

0.0.0.0/0 route to NATGW c
172.31.0.0/16 local

This page may help with subnetting... https://www.calculator.net/ip-subnet-calculator.html

Also note, for high availability Associate your VPN End point to ALL 3 AZ's. Also note, you should update your VPN route table endpoint to be 172.31.0.0/16 and not 172.31.0.0/20 otherwise you will not be able to access any other subnets! OR to 172.31.48.0/22 if you just want it to route to the private subets as I used in my example. Subnetting is a wonderfull thing and you may want to resize/move the networks around depending on requirements.

Dont forget to accept answer if this helps to help you and others.. Gary

profile picture
EXPERT
answered a year ago
profile picture
EXPERT
reviewed 3 days ago
profile picture
EXPERT
reviewed 9 months ago
  • HI Gary! Thanks for your excellent reply! I am testing it right now and will get back to you with news. In the meanwhile, let me ask 2 questions...

    1. when you said "Also note, for high availability Associate your VPN End point to ALL 3 AZ's. " I guess you mean all PUBLIC AZ's subnets right? Right now I have it associated only to public us-east-2a.
    2. "to be 172.31.0.0/16 and not 172.31.0.0/20" The route table of my VPN has Destination CIDR of 0.0.0.0/0 and 172.31.0.0/16 both with target subnet us-east-2a. Also an Authorization rule to 172.31.0.0/16 and 0.0.0.0/0. Is this OK? Thanks A LOT
    1. Yes and No. Not sure if you are aware but the VPN doesnt actually come in over the public internet via that subnet, its a back door into your VPC. Your Targert Target network associations is where the vpn pops out into. You have a NAT'd IP address on that subnet you set as a Target network association. You can make this a private subnet also if you wish. To make it HA, add a subnet in each AZ.

    2. Arh ok I miss understood. So, this is down to you. 0.0.0.0/0 will cover ALL Networks and you dont need 172.31.0.0/16. If you run split tunnel, you may as well just user 172.31.0.0/16. As I mentioned, you can just define your private subnet range. Again this is personal choice. If its like openVPN server (i need to double check but im pretty sure), the network routes are populated to your VPN client once autenticated. This is where the split tunnel confiugration comes into effect. When you connect to your VPN and split tunnel is disabled, ALL traffic will route over the VPN. If you enable Split tunnel and just list 172.31.0.0/16 on the VPN, any traffic to your VPC will traverse the VPN and ALL other traffic will route directly out of your Interface. You can see this behavour using traceroute

    Yeah please do let me know how you get on.. Happy to help

  • Hi Gary, Once again, thanks a lot for your wonderful replies. You were precise and helpful and I was able to achieve what I was looking for. Much appreciated! Regarding 1) my only doubt is if the VPN pops out into a private subnet would be any more secure than popping out in a public subnet. In other words, if there is any security aspect improved with using a private subnet...but I think not. Regarding 2), I think it's clear. Thanks. For the moment I am OK with not using split tunnel and let the default behavior. Unless the internet traffic through the VPN increases networking cost?

0

Why do you need a NAT Gateway or Static IP? VPN Client Endpoint does not work over your Internet/NatGateway.

VPN Client End Point is seperate from your internet connectivity into your VPC. You dont need a NAT Gateway for VPN Client to work.

Whats the problem you are having? Do you want split Tunnel enabled so that when connected via VPN you can access your internal services while all other traffic bypasses the VPN and routes directly following your MACs default route?

If you need a NAT Gatway, the default route 0.0.0.0/0 in the private subnet in each AZ would route to said NAT Gateway. The default route in the Subnet the Nat gateway exisits would be the internet gateway.

This means your EC2s will not need a public IP. If you need to connect to your EC2's over VPN, use their private IP.

Hope this helps.. please ask away

profile picture
EXPERT
answered a year ago
  • Hi Gary. Thanks for your answer! I have just updated my question trying to answer your questions. Please let me know if it is clearer. Thanks!

  • Hey, I have created a new answer for you now.. Thanks

0

It sounds like you're on the right path.

The next thing to do is create some more subnets. Your current set of subnets it sounds like are "public", one per AZ, with default routing to the IGW. You need another set of "nat" subnets (sometimes called "private") that allow only outbound internet access by having a default route to a NAT GW. You may also choose to have another set of truly-private subnets that have no internet connectivity at all.

For each AZ you use, create a NAT GW instance in the corresponding public subnet. Then in the corresponding "nat" subnet, the default route should be to this same NAT GW instance in the same AZ.

None of this will interfere with your Client VPN setup.

EXPERT
answered a year ago
  • Hi. Thanks for you answer! I updated the question. You are correct, I have 1 public subnet for each AZ. I will create the private "nat" subnets as you suggest but I am not sure which IPv4 CIDR block to use for each of them. Could you help me with that please? I think I can handle the rest! In the question you can see that I am only interested in us-east-2a, us-east-2b and us-east-2c. Thanks in advance!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions