How can I use the elastic IP of a NAT Gateway as the source IP over a Site to Site VPN using a Virtual Private Gateway?

0

I'm attempting to route all traffic destined for an on premise network through a public NAT Gateway and then over a Site to Site VPN tunnel using a Virtual Private Gateway in an attempt to source traffic from a single public IP. According to the NAT Gateway documentation:

"If you use a public NAT gateway to connect to a transit gateway or virtual private gateway, traffic to the destination will come from the private IP address of the public NAT gateway. The public NAT gateway will only use its EIP as the source IP address when used in conjunction with an internet gateway in the same VPC."

I'm trying to understand how to configure the setup/routing to use the "EIP as the source IP address". I've been able to route traffic through the public NAT Gateway successfully and over the VPN, but all traffic is being sourced from the private IP address of the NAT Gateway and not the EIP. Here is an overview of the setup:

  • Site to Site VPN connection established using a Virtual Private Gateway

  • Internet Gateway and NAT Gateway are in the same VPC

  • EC2 instance in a private subnet

  • Public NAT Gateway in a public subnet (with IGW attached)

  • EC2 private subnet route table: 192.168.0.0/24 local 0.0.0.0/0 NAT Gateway-ID

  • Public NAT Gateway subnet route table: 192.168.0.0/24 local 0.0.0.0/0 IGW-ID 10.0.0.2/32 VGW-ID *(Hypothetical on premise IP address)

Assuming that all of the security rules are in place correctly, I can get this to work; however, the source IP address of the traffic over the VPN is always the private IP address of the NAT gateway and not the EIP.

What do I need to do to use the NAT Gateway "in conjunction with an internet gateway in the same VPC" to source traffic using the public EIP as the documentation states?

Thanks!

2 Answers
2
Accepted Answer

As you quoted from the documentation, there's no way to use the Elastic IP over a site-to-site VPN connection: "If you use a public NAT gateway to connect to a transit gateway or virtual private gateway, traffic to the destination will come from the private IP address of the public NAT gateway." Your network is working as documented. There's no way to use AWS-owned public IPs over an AWS site-to-site VPN.

The underlying reason is that both Elastic IPs and automatically assigned public IPv4 addresses are technically implemented as a network address translation (NAT) mechanism at the edge of AWS's network. Packets translated that way can only pass into or out of a VPC via an attached internet gateway (IGW). Packets routed through a VGW never go through that NAT mechanism.

However, VPCs do allow you to use nearly any IPv4 addresses you like in your VPC, including non-AWS public IPs. If you have a small CIDR, perhaps a /27 or at least a /28, of your own public IPs allocated to your on-premises use, which you can spare not to use on premises and can afford to allocate for use in your VPC, you could configure the public CIDR as your VPC's secondary CIDR, configure a subnet with the CIDR or at least a /28 block of it, and place a private NAT gateway in that subnet. If you only send traffic to the VGW after it's passed through the private NAT GW, the packets sent to the VPN would have the IP of the NAT gateway that is internal to the VPC and therefore considered as private by AWS, but which in reality is a public IP allocated to your on-premises use and therefore doesn't overlap any private IP ranges of your customers or partners.

As iBehr correctly advised, if you just need to connect your own VPC to your own on-premises network over a site-to-site VPN, you won't typically need any NATing or public IPs on the AWS side. My advice above is mainly useful in situations where you're a service provider connecting to multiple customers and need a single CIDR on your side that is guaranteed not to overlap the addresses of any customer.

EXPERT
Leo K
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • It's more clear when re-reading the documentation alongside your answer. Much appreciated!

2

NAT Gateways and Site-to-Site (S2S) VPN are not specifically meant to be used together.

When you provision a S2S VPN, you will be provided with 2 Public IPs for the AWS tunnel endpoints. You can then choose to connect the AWS end to either a VPC Private Gateway (VGW) or a Transit Gateway (TGW).

NAT Gateways have a few use cases: 1/ providing Internet access to private subnets without using lots of public IPs. 2/ Providing connectivity between VPCs and on-premises networks with overlapping CIDRs. (In this use case, you don't use the NAT Gateway itself to connect to on-premises but rather to funnel the traffic bound to on-premises before sending over transport of either S2S VPN or Direct Connect.

profile pictureAWS
EXPERT
iBehr
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions