Route on prem egress traffic to AWS through DX Gateway

0

Is it possible to route the traffic from on-prem to Internet though DX without using a Transit Gateway. I'm wondering if it is possible to create a Egress VPC with a Virtual Private Gateway. Attach this VGW to the DX Gateway and route 0.0.0.0 from on prem to the NAT GW's private IP.

Thanks in advance

2 Answers
4
Accepted Answer

You can not advertise a deafult route from a VGW to DX Gateway. When DXGW is attached to a VGW it can only advertise exact VPC CIDRs. https://docs.aws.amazon.com/directconnect/latest/UserGuide/allowed-to-prefixes.html#allowed-to-prefixes-virtual-private-gateway

It does not matter if you hosted a NAT GW or NAT Instance(self managed )inside a VPC, your on-prem will not get 0.0.0.0/0 from VGW-DXGW based Private VIF.

You can use centralized NAT Gateway design model to route traffic from on-prem over a transit VIF to go out to internet through a NAT Gateway.

On-Prem -> DX -> Transit VIF -> DXGW -> TGW -> NAT VPC -> NAT GW -> Internet

This would work perfectly fine with DXGW<-> TGW association as when you associate TGW to DXGW, it allows you to advertise 0.0.0.0/0. https://docs.aws.amazon.com/directconnect/latest/UserGuide/allowed-to-prefixes.html#allowed-to-prefixes-transit-gateway

I hope this is helpful for your to make a design descision.

profile pictureAWS
answered 2 months ago
profile picture
EXPERT
reviewed a month ago
profile pictureAWS
EXPERT
reviewed 2 months ago
  • It's what I though. Thanks for confirming and the useful docs.

  • Why does the documentation say you can’t do it? You can't route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of these connections

  • Hey Gary,

    You can't route traffic to NAT Gateway if the traffic arrived from Site to Site VPN or Direct Connect to VGW in VPC which has NAT GW. Since it is not possible to advertise default route from VGW to VPN/DX, it is not possible to route it to NAT GW. VPC Peering is non transitive so this does not support this kind of traffic pattern.

  • Hey Azeem, I get that and the documentation says it’s not possible. What it doesn’t say is that is only Applicable when using a VPGW. Currently the documentation says it’s not possible. It doesn’t say with or without a TGW. This is where my problem is.

    Cheers Gary

  • Hey Gary,

    I see your point, I will take this to documentation team and get this clarified. Thanks for highlighting it.

1

You can't route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of these connections.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-basics

The way it could work is by using an EC2 NAT Instance instead but comes with other challanges such has high availability, throughput and its now end of support. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

However you could build your own NAT instance https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#create-nat-ami

profile picture
EXPERT
answered 2 months ago
profile pictureAWS
EXPERT
reviewed 2 months ago
  • Updated to include NAT Instance option

  • Thanks for your answer Gary. Reading it, I understand I should have explained better to skip the basics. I do apologize for that. I was aware of the limitation through VPC peerings, VPNs and DX through Private VIFs, since they don't allow transitive routing, my question was regarding Direct Connect Gateway because it seems to allow transitive routing from on-prem to any VPC. Additionally, not sure about a NAT instance solves the issue, since the problem is the peering and not the NAT GW itself, I'd use it if you want to use features that are not allowed in NAT GW as port forwarding.

  • Mey MTIND, I believe my answer stands. You connect a DX Gateway to a TGW or VPGW to connect to a VPC. Your NAT Gateway resides in a VPC and as per documentation, you cant route via NAT Gateways from DX whether your using TGW or not as it will not allow resources either side to route/connect. This is where an EC2 NAT instance will allow you to route via it. It would in theory be a double transitive route with a NAT Gateway where the NAT EC2 wouldnt be as the OS(Linux) in this case is the router outside of a AWS resource

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions