Can I route Internet traffic of EC2 server through AWS virtual private gateway and out from on-premise firewall (Gateway) ?

0

Hi guys,

I want to route my EC2 Internet traffic through VPN and out from on-premise firewall (FortiGate). My EC2 is in private subnet. There is no IGW. It's able to connect to my on-premise network via VPN and vice versa. However, EC2 is unable to reach the Internet.

My route table as below. 0.0.0.0/0 vgwxxxx 172.16.1.0/24 local

Security Group - ALL Allow ACL - ALL Allow

From my testing and troubleshooting. If I Ping to 8.8.8.8 from EC2, I can see ping (request/reply) traffic in VPN tunnel interface in the firewall. In EC2, I can only see ping request traffics, however no ping reply traffics are captured.

Note: deleted and recreated EC2, VPC, Subnet, VPN gateway, route table, reconfigure VPN setting in firewall. But, still the same result.

Is there any limitation in Virtual Private Gateway for Internet traffic ? Or is there any way to fix my issue ? Thank you.

2 Answers
0

This should technically work. See below from the FAQ, I suggest check the end-to-end forward and reverse routing:

https://aws.amazon.com/vpn/faqs/

Q: What are the VPN connectivity options for my VPC?

A: You may connect your VPC to your corporate data center using a Hardware VPN connection via the virtual private gateway.

Q: How do instances without public IP addresses access the Internet?

A: Instances without public IP addresses can access the Internet in one of two ways:

Instances without public IP addresses can route their traffic through a network address translation (NAT) gateway or a NAT instance to access the internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the internet to initiate a connection to the privately addressed instances.

For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.

profile pictureAWS
EXPERT
answered 2 years ago
  • Thanks for your comment and info. Yes. This should technically work.

0

Hi,

Considering you are seeing the ICMP/Ping request/reply pair in your VTI on your firewall, I would start by confirming that your VPC route for 172.16.1.0/24 does indeed route towards AWS over VPN to your Virtual Private Gateway. I would next check the NACL at the border of your VPC. If traffic is flowing outbound correctly, the NACL may need an entry for the return traffic. NACLs are stateless by nature so you must account for the return traffic, in this case the ICMP/Ping reply. Please let us know how it goes. Hope this helps!

AWS
answered 2 years ago
  • Thanks for your comment. Like I mentioned, NACL and Security Group are Allowed all traffic. I double checked NACL and recreated new NACL for testing. However, result is still the same. I also run Reachability Analyzer. Status is Reachable and state is Succeeded (both forward and reverse path). Is any other setting blocking the EC2 instance ? I created new instance and tested, too.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions