- Newest
- Most votes
- Most comments
Create a NAT Gateway in each AZ
- us-east-2a (172.31.0.0/20) (will call this NATGW a)
- us-east-2b (172.31.16.0/20) (will call this NATGW b)
- us-east-2c (172.31.32.0/20) (will call this NATGW c)
These 3 can share the same route table. Make sure 0.0.0.0/0 routes to the IGW (Internet Gateway) It would look like this
0.0.0.0/0 route too IGWXXX
172.31.0.0/16 local
Create 3 private subnets, one in each AZ. Now the CIDR Range depends on you, how many "Host" ip addresses you require in each Subnet. To point out your /20 for public is massive... For argument sake, i will specify an example
- us-east-2a (172.31.48.0/24) (will call this private a)
- us-east-2b (172.31.49.0/24) (will call this private b)
- us-east-2c (172.31.50.0/24) (will call this private c)
Create a new route table and assisoicate it with private a subnet. It should look like this
0.0.0.0/0 route to NATGW a
172.31.0.0/16 local
Create a new route table and assisoicate it with private b subnet. It should look like this
0.0.0.0/0 route to NATGW b
172.31.0.0/16 local
Create a new route table and assisoicate it with private c subnet. It should look like this
0.0.0.0/0 route to NATGW c
172.31.0.0/16 local
This page may help with subnetting... https://www.calculator.net/ip-subnet-calculator.html
Also note, for high availability Associate your VPN End point to ALL 3 AZ's. Also note, you should update your VPN route table endpoint to be 172.31.0.0/16 and not 172.31.0.0/20 otherwise you will not be able to access any other subnets! OR to 172.31.48.0/22 if you just want it to route to the private subets as I used in my example. Subnetting is a wonderfull thing and you may want to resize/move the networks around depending on requirements.
Dont forget to accept answer if this helps to help you and others.. Gary
Why do you need a NAT Gateway or Static IP? VPN Client Endpoint does not work over your Internet/NatGateway.
VPN Client End Point is seperate from your internet connectivity into your VPC. You dont need a NAT Gateway for VPN Client to work.
Whats the problem you are having? Do you want split Tunnel enabled so that when connected via VPN you can access your internal services while all other traffic bypasses the VPN and routes directly following your MACs default route?
If you need a NAT Gatway, the default route 0.0.0.0/0 in the private subnet in each AZ would route to said NAT Gateway. The default route in the Subnet the Nat gateway exisits would be the internet gateway.
This means your EC2s will not need a public IP. If you need to connect to your EC2's over VPN, use their private IP.
Hope this helps.. please ask away
Hi Gary. Thanks for your answer! I have just updated my question trying to answer your questions. Please let me know if it is clearer. Thanks!
Hey, I have created a new answer for you now.. Thanks
It sounds like you're on the right path.
The next thing to do is create some more subnets. Your current set of subnets it sounds like are "public", one per AZ, with default routing to the IGW. You need another set of "nat" subnets (sometimes called "private") that allow only outbound internet access by having a default route to a NAT GW. You may also choose to have another set of truly-private subnets that have no internet connectivity at all.
For each AZ you use, create a NAT GW instance in the corresponding public subnet. Then in the corresponding "nat" subnet, the default route should be to this same NAT GW instance in the same AZ.
None of this will interfere with your Client VPN setup.
Hi. Thanks for you answer! I updated the question. You are correct, I have 1 public subnet for each AZ. I will create the private "nat" subnets as you suggest but I am not sure which IPv4 CIDR block to use for each of them. Could you help me with that please? I think I can handle the rest! In the question you can see that I am only interested in us-east-2a, us-east-2b and us-east-2c. Thanks in advance!
Relevant content
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
HI Gary! Thanks for your excellent reply! I am testing it right now and will get back to you with news. In the meanwhile, let me ask 2 questions...
Yes and No. Not sure if you are aware but the VPN doesnt actually come in over the public internet via that subnet, its a back door into your VPC. Your Targert Target network associations is where the vpn pops out into. You have a NAT'd IP address on that subnet you set as a Target network association. You can make this a private subnet also if you wish. To make it HA, add a subnet in each AZ.
Arh ok I miss understood. So, this is down to you. 0.0.0.0/0 will cover ALL Networks and you dont need 172.31.0.0/16. If you run split tunnel, you may as well just user 172.31.0.0/16. As I mentioned, you can just define your private subnet range. Again this is personal choice. If its like openVPN server (i need to double check but im pretty sure), the network routes are populated to your VPN client once autenticated. This is where the split tunnel confiugration comes into effect. When you connect to your VPN and split tunnel is disabled, ALL traffic will route over the VPN. If you enable Split tunnel and just list 172.31.0.0/16 on the VPN, any traffic to your VPC will traverse the VPN and ALL other traffic will route directly out of your Interface. You can see this behavour using traceroute
Yeah please do let me know how you get on.. Happy to help
Hi Gary, Once again, thanks a lot for your wonderful replies. You were precise and helpful and I was able to achieve what I was looking for. Much appreciated! Regarding 1) my only doubt is if the VPN pops out into a private subnet would be any more secure than popping out in a public subnet. In other words, if there is any security aspect improved with using a private subnet...but I think not. Regarding 2), I think it's clear. Thanks. For the moment I am OK with not using split tunnel and let the default behavior. Unless the internet traffic through the VPN increases networking cost?