Public IPs and NLB from VPN

0

Hi,

I need to migrate several VPN connections from my on-premises site to AWS VPN. These VPNs are with clients. I need to present some services through the VPN using an internal NLB (Network Load Balancer).

The challenge is that I would like to present the NLB with public IPs to avoid any potential IP overlaps with the customer's side. Also, the NLB IPs must be static for customer-side firewall allow rules entries.

I understand that an internet-facing NLB (with public IPs) cannot be reachable from inside, and an internal NLB cannot be configured with public IPs.

As an alternative, I can use the internal NLB with private IPs, but if there is any option to use public IPs with an internal NLB or how to achieve this, I appreciate the suggestion.

Regards, Nicolas

Nicolas
asked 3 months ago108 views
2 Answers
1

Hello.

As you know, if you use a public IP, you cannot connect with a private connection.
So, why not create a VPC with non-overlapping CIDR ranges for each customer and configure PrivateLink?
https://aws.amazon.com/jp/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/

profile picture
EXPERT
answered 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago
  • +1 to this suggestion - it gives your customers a connection that guarantees no IP overlap; and also prevents customers from connecting to each other.

  • As for "why not," each VPC interface endpoint comes with an additional fixed fee of $0.01/hour/AZ (in us-east-1 and eu-west-1, as examples) for $7.20/month/AZ and a variable fee starting at $0.01/GB for traffic passing through it. Those costs are added to the fixed fee and capacity unit fees for the NLB. Customers can be prevented from connecting to each other simply by defining the CIDR on the AWS side of each site-to-site VPN as the CIDR of the VPC; that's exactly why that feature exists in virtually every VPN solution.

  • While this is true there are two counterpoints: First, if you have a "landing VPC" where your customer connect eventually you will hit a point where the CIDR range for that VPC or the range you use to NAT will conflict with one or more customers and then you'll need to fine another solution. Second (and related to the first) - as with all managed services there is a price to pay; the question is whether that is higher than the cost to you to maintain something to do the same job.

    This isn't a "please use PrivateLink" but it is more a "consider using it because it takes away a lot of the heavy lifting from you". Is that worth the price? For me, yes. For you: That's an individual decision.

  • The idea is to avoid a potential future overlap for a new customer, so the internal NLB static IPs must to be unique

  • @Brettski-AWS We were told in the original question that the solution already exists and is being rehosted/replatformed on AWS. That means it would be known if IP overlap between customers were an unresolved issue. Simple hide-NAT at the customer side would fix that. The question was about the service provider side's addressing. Setting up a per-customer VPC with non-overlapping IPs and VPC endpoint would be additional effort to manage or automate, not an inherent part of the AWS-managed service, and the technology costs would increase linearly. That should be considered in a design.

0
Accepted Answer

There's no way to use AWS-owned public IPv4 addresses over an AWS site-to-site VPN.

It's possible to assign nearly any IP addresses to VPCs, however. If you have a block of public IPv4 addresses at least /27 in size that you can afford to keep unused on premises or elsewhere outside your VPC, you could make it a secondary CIDR of your VPC and assign it to a subnet in your VPC. Just like all CIDRs assigned to your VPC, the public /27 that you brought with you would be routable over site-to-site VPNs.

EXPERT
Leo K
answered 3 months ago
  • Thanks Leo for you response. Your proposal looks good. I have a public /27 that I can us for this VPN NLB "landing zone". I will try it and let you know.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions