Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
Route on prem egress traffic to AWS through DX Gateway
Is it possible to route the traffic from on-prem to Internet though DX without using a Transit Gateway. I'm wondering if it is possible to create a Egress VPC with a Virtual Private Gateway. Attach this VGW to the DX Gateway and route 0.0.0.0 from on prem to the NAT GW's private IP.
Thanks in advance
- Newest
- Most votes
- Most comments
You can not advertise a deafult route from a VGW to DX Gateway. When DXGW is attached to a VGW it can only advertise exact VPC CIDRs. https://docs.aws.amazon.com/directconnect/latest/UserGuide/allowed-to-prefixes.html#allowed-to-prefixes-virtual-private-gateway
It does not matter if you hosted a NAT GW or NAT Instance(self managed )inside a VPC, your on-prem will not get 0.0.0.0/0 from VGW-DXGW based Private VIF.
You can use centralized NAT Gateway design model to route traffic from on-prem over a transit VIF to go out to internet through a NAT Gateway.
On-Prem -> DX -> Transit VIF -> DXGW -> TGW -> NAT VPC -> NAT GW -> Internet
This would work perfectly fine with DXGW<-> TGW association as when you associate TGW to DXGW, it allows you to advertise 0.0.0.0/0. https://docs.aws.amazon.com/directconnect/latest/UserGuide/allowed-to-prefixes.html#allowed-to-prefixes-transit-gateway
I hope this is helpful for your to make a design descision.
You can't route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of these connections.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-basics
The way it could work is by using an EC2 NAT Instance instead but comes with other challanges such has high availability, throughput and its now end of support. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
However you could build your own NAT instance https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#create-nat-ami
Updated to include NAT Instance option
Thanks for your answer Gary. Reading it, I understand I should have explained better to skip the basics. I do apologize for that. I was aware of the limitation through VPC peerings, VPNs and DX through Private VIFs, since they don't allow transitive routing, my question was regarding Direct Connect Gateway because it seems to allow transitive routing from on-prem to any VPC. Additionally, not sure about a NAT instance solves the issue, since the problem is the peering and not the NAT GW itself, I'd use it if you want to use features that are not allowed in NAT GW as port forwarding.
Mey MTIND, I believe my answer stands. You connect a DX Gateway to a TGW or VPGW to connect to a VPC. Your NAT Gateway resides in a VPC and as per documentation, you cant route via NAT Gateways from DX whether your using TGW or not as it will not allow resources either side to route/connect. This is where an EC2 NAT instance will allow you to route via it. It would in theory be a double transitive route with a NAT Gateway where the NAT EC2 wouldnt be as the OS(Linux) in this case is the router outside of a AWS resource
Relevant content
- asked 3 months ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
It's what I though. Thanks for confirming and the useful docs.
Why does the documentation say you can’t do it? You can't route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of these connections
Hey Gary,
You can't route traffic to NAT Gateway if the traffic arrived from Site to Site VPN or Direct Connect to VGW in VPC which has NAT GW. Since it is not possible to advertise default route from VGW to VPN/DX, it is not possible to route it to NAT GW. VPC Peering is non transitive so this does not support this kind of traffic pattern.
Hey Azeem, I get that and the documentation says it’s not possible. What it doesn’t say is that is only Applicable when using a VPGW. Currently the documentation says it’s not possible. It doesn’t say with or without a TGW. This is where my problem is.
Cheers Gary
Hey Gary,
I see your point, I will take this to documentation team and get this clarified. Thanks for highlighting it.