Private NAT Gateway to Site-to-Site VPN with Restricted CIDR

Question

Hi Everyone! I am wondering if the following scenario is possible:

I have an AWS private NAT gateway in a subnet with the CIDR range 172.16.4.0/27. The NAT gateway has a route directed to an AWS VPG and site-to-site VPN. On the site-to-site VPN configuration I have the "Remote IPv4 network CIDR" set to 172.16.4.12/32 as this is the only IP address allowed by the other side of the tunnel.

My question is, will the NAT gateway "know" about the restricted 172.16.4.12/32 CIDR? Meaning all traffic passing through the NAT gateway will be translated ONLY to 172.16.4.12/32 before it enters the tunnel. Or will the NAT gateway continue to use the 172.16.4.0/27 range and only a portion of the traffic, if it happens to be translated to 172.16.4.12/32, will be able to enter the tunnel?

Thank you in advance.

Accepted Answer

The NAT gateway operates without awareness of the specific CIDR ranges associated with the VPN. By default, it conducts source network address translation using its private IP address (derived from the subnet CIDR range) for traffic originating from private instances and heading towards the internet. In your case, the NAT gateway utilizes its private IP address from the CIDR range 172.16.4.0/27 for source address translation. It does not automatically adjust its translation behavior based on the specific IP addresses allowed in the site-to-site VPN configuration. If the remote side of the site-to-site VPN requires traffic from your VPC to carry a designated source IP address (e.g., 172.16.4.12/32), you may have to manage this translation within your private instances before the traffic reaches the NAT gateway. This could involve configuring your instances to use the specified source IP address in their outbound traffic.

Private NAT Gateway to Site-to-Site VPN with Restricted CIDR

相关内容