We're trying to figure out the most efficient way to replicate our application and networking on AWS are getting stuck on a networking requirement. Here's the general layout:
- Our application will be deployed in ECS (Fargate)
- We'll deploy an instance of the application + ALB for each client
- We'll use a software VPN (AWS VPNs are too expensive, but I don't think they change anything)
- We need to privately route traffic from the VPN to each client's instance of the application
- We prefer to put clients in their own VPCs and use VPC Peers but we could relax this requirement if it were fatal.
Not only do we want/need a Static IP for VPN (and VPC Peer) routing, but we have a client that requires a publicly routable IP address as the destination for our VPN communication. ALBs don't support static IPs (EIP or otherwise) and it doesn't look like either of the suggested workarounds (https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/) will work for us. Specifically, from what I've read:
- We can put an NLB in front of the ALB to get a Static IP, but we can only associate an EIP if the NLB is
internet-facing
.
- The Global Accelerator provides static IPs, but they also appear to be designed to be internet-routable.
In both cases, it doesn't sound like these addresses are internally routable. Am I wrong? Is there another built-in way to achieve our requirement?
Edited by: Clayton D. on Mar 30, 2020 12:59 PM