How can we map entire AWS VPC CIDR to a single IP address using Private NAT Gateway via AWS Site to Site VPN connection.

2 minute read
Content level: Intermediate

Map AWS VPC CIDR with single NATed IP address using Private NAT Gateway to communicate over VPN connection.

If your on-premises team can only allow single IP address from AWS VPC you can NAT the traffic over AWS Site to Site VPN. Since NATing is not supported via AWS Site to Site VPN connection, Private NAT Gateway could be utilized to map AWS VPC CIDR to a single IP address.


Enter image description here

NAT Gateway Subnet Configuration:

Step 1: Create the subnet which have a route pointing to Transit Gateway.

For Example: > Transit Gateway (On-Premises)

Private NAT Gateway Configuration:

Step 2: To create a Private NAT gateway.

  1. Open the Amazon VPC console at
  2. Choose, NAT Gateways.
  3. Create NAT Gateway using below steps:
  • Specify a name for the NAT gateway.
  • Select the subnet which have route to TGW > Transit Gateway.
  • Select Connectivity type as a Private to create a private NAT.

Step 3: Update the source subnets route table with the route ( pointing to the NAT gateway. Step 4: When Private NAT Gateway will receive the traffic, it will look for the route and will forward it to Transit Gateway (TGW).

Transit Gateway Configuration:

Step 5: Transit Gateway should have route pointing to two attachments as follows:

  • --> tgw-attach-vpn (Add Static route if you are using Static VPN)
  • --> tgw-attach-vpc

Important: Please ensure that you have a Private NAT Gateway Subnet/AZ enabled in VPC Attachment or another subnet that belongs to same AZ where NAT Gateway resides.

Note: This setup is valid for unidirectional traffic flow i.e., from AWS to On-premises.

You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

If you want to achieve bidirectional traffic flow, NAT Instance can be utilized as well.

For more details, please refer below documents:

profile picture
published a year ago1639 views
1 Comment

Thank you so much for sharing this article. I'm planning to implement it. Our VPN is connecting with on-prem servers of a client. They have assigned us a /30 CIDR to use as a single "source of allowed IP" from our network. I originally tough that assigning this /30 as primary and secondary IPs to the NAT GW was the way to go, but then I realized the TGW also as an IP address. Will my package arrives to the client Firewall with the IP of the NAT GW or the IP of the TGW?

replied 3 months ago