- Newest
- Most votes
- Most comments
Hello.
As you know, if you use a public IP, you cannot connect with a private connection.
So, why not create a VPC with non-overlapping CIDR ranges for each customer and configure PrivateLink?
https://aws.amazon.com/jp/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/
There's no way to use AWS-owned public IPv4 addresses over an AWS site-to-site VPN.
It's possible to assign nearly any IP addresses to VPCs, however. If you have a block of public IPv4 addresses at least /27 in size that you can afford to keep unused on premises or elsewhere outside your VPC, you could make it a secondary CIDR of your VPC and assign it to a subnet in your VPC. Just like all CIDRs assigned to your VPC, the public /27 that you brought with you would be routable over site-to-site VPNs.
Thanks Leo for you response. Your proposal looks good. I have a public /27 that I can us for this VPN NLB "landing zone". I will try it and let you know.
Relevant content
- asked 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
+1 to this suggestion - it gives your customers a connection that guarantees no IP overlap; and also prevents customers from connecting to each other.
As for "why not," each VPC interface endpoint comes with an additional fixed fee of $0.01/hour/AZ (in us-east-1 and eu-west-1, as examples) for $7.20/month/AZ and a variable fee starting at $0.01/GB for traffic passing through it. Those costs are added to the fixed fee and capacity unit fees for the NLB. Customers can be prevented from connecting to each other simply by defining the CIDR on the AWS side of each site-to-site VPN as the CIDR of the VPC; that's exactly why that feature exists in virtually every VPN solution.
While this is true there are two counterpoints: First, if you have a "landing VPC" where your customer connect eventually you will hit a point where the CIDR range for that VPC or the range you use to NAT will conflict with one or more customers and then you'll need to fine another solution. Second (and related to the first) - as with all managed services there is a price to pay; the question is whether that is higher than the cost to you to maintain something to do the same job.
This isn't a "please use PrivateLink" but it is more a "consider using it because it takes away a lot of the heavy lifting from you". Is that worth the price? For me, yes. For you: That's an individual decision.
The idea is to avoid a potential future overlap for a new customer, so the internal NLB static IPs must to be unique
@Brettski-AWS We were told in the original question that the solution already exists and is being rehosted/replatformed on AWS. That means it would be known if IP overlap between customers were an unresolved issue. Simple hide-NAT at the customer side would fix that. The question was about the service provider side's addressing. Setting up a per-customer VPC with non-overlapping IPs and VPC endpoint would be additional effort to manage or automate, not an inherent part of the AWS-managed service, and the technology costs would increase linearly. That should be considered in a design.