AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約

From hospital isolated networks through IPsec VPN AWS, EC2 instance then a specific site which use Cognito

0

Hi support,

Appreciate your help.

Summary: We want to access "example.com" from PCs, subnets in a hospital network that does not have a direct gateway to the internet through an AWS environment that has internet access via a VPN. Hospital PCs need to access a specific site, lets say "example.com", which is using Cognito. VPN connection is established. Can ping bidirectionally.

Details: Rough nw diagram Hospital PC ++++++ L3Device +++++++ VPN device and FW ++++++ cloud +++++++ AWS VPN endpoint VPC +++++++ EC2 instance ++++++++ internet

Hospital PC has default gw to L3 device. L3 device to the VPN device and fw. VPN device has static routes to the private addresses in AWS side. VPN connection is established. Can ping bidirectionally from PC to EC2 instance.

Hospital PCs need to access a specific site, lets say "example.com",which is using Cognito. Traffic needs to go through the VPN, then EC2 instance and to the internet.

What we did: 1 Configured nginx in the EC2 instance. Hosts file in the hospital PCs pointing to the EC2 instance web server. But does not work as expected from the hospital PCs. Certificate issues with Cognito and nginx errors.

2 Configured RDP server in the EC2 instance. Established RDP connection from the hospital PCs. Using Chrome browser to ignore certificate errors. But the RDP connection has some limitations operationally.

What we want to do

1 Configure the EC2 instance as a router and NAT device. default route to the EC2 instance though VPN.

2 VPC peering between hospital VPC and example.com VPC.

What will be other architecture alternatives? Can you please help?

Thank you!

2回答
1
承認された回答

The short answer is that this won't work as designed because of the way VPC routing works - it is non-transitive so you can't have traffic coming from a VPN connection going to the internet (even if it is being sent through the Nginx instance). It looks like it should work but it won't.

You can make it work in two different ways:

  • Use a Transit Gateway: Connect the VPN and VPC to the Transit Gateway. Transit Gateway is designed to behave like a router so things will "just work". However, there is extra cost there.
  • Explicit proxy: Configure Nginx as a proxy (I'm not sure if you can do this or not; if not, using something like Squid); set up the instance as an explicit proxy on the hospital PC. You haven't mentioned but my assumption that this is web traffic so this will work fine. You can also put block-lists on the proxy if you need to; and the explicit proxy configuration will mean that only traffic for example.com will go to the proxy. This method also means you don't need a default route anywhere except in the VPC.
profile pictureAWS
エキスパート
回答済み 3ヶ月前
profile picture
エキスパート
レビュー済み 3ヶ月前
profile picture
エキスパート
レビュー済み 3ヶ月前
  • Hello.

    Cognito cannot use VPC endpoints as of August 2024, so you must use the public internet for communication from your PC to your Cognito user pool. In other words, if there is no direct communication path from the network where the hospital PC is located to the public internet, you will need to route it to AWS and then use something like NAT Gateway to be able to communicate with the Cognito user pool. I hope that the explanations provided in the following documents will be helpful. https://repost.aws/knowledge-center/site-to-site-vpn-access-internet
    Although it is simple, the structure is as follows. If you use TransitGateway, the configuration will be as follows.
    a

0

Appreciate your help.

Will test and update here with the status. Yes, it is web traffic.

Thank you!

回答済み 3ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ