AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

From hospital isolated networks through IPsec VPN AWS, EC2 instance then a specific site which use Cognito

0

Hi support,

Appreciate your help.

Summary: We want to access "example.com" from PCs, subnets in a hospital network that does not have a direct gateway to the internet through an AWS environment that has internet access via a VPN. Hospital PCs need to access a specific site, lets say "example.com", which is using Cognito. VPN connection is established. Can ping bidirectionally.

Details: Rough nw diagram Hospital PC ++++++ L3Device +++++++ VPN device and FW ++++++ cloud +++++++ AWS VPN endpoint VPC +++++++ EC2 instance ++++++++ internet

Hospital PC has default gw to L3 device. L3 device to the VPN device and fw. VPN device has static routes to the private addresses in AWS side. VPN connection is established. Can ping bidirectionally from PC to EC2 instance.

Hospital PCs need to access a specific site, lets say "example.com",which is using Cognito. Traffic needs to go through the VPN, then EC2 instance and to the internet.

What we did: 1 Configured nginx in the EC2 instance. Hosts file in the hospital PCs pointing to the EC2 instance web server. But does not work as expected from the hospital PCs. Certificate issues with Cognito and nginx errors.

2 Configured RDP server in the EC2 instance. Established RDP connection from the hospital PCs. Using Chrome browser to ignore certificate errors. But the RDP connection has some limitations operationally.

What we want to do

1 Configure the EC2 instance as a router and NAT device. default route to the EC2 instance though VPN.

2 VPC peering between hospital VPC and example.com VPC.

What will be other architecture alternatives? Can you please help?

Thank you!

2개 답변
1
수락된 답변

The short answer is that this won't work as designed because of the way VPC routing works - it is non-transitive so you can't have traffic coming from a VPN connection going to the internet (even if it is being sent through the Nginx instance). It looks like it should work but it won't.

You can make it work in two different ways:

  • Use a Transit Gateway: Connect the VPN and VPC to the Transit Gateway. Transit Gateway is designed to behave like a router so things will "just work". However, there is extra cost there.
  • Explicit proxy: Configure Nginx as a proxy (I'm not sure if you can do this or not; if not, using something like Squid); set up the instance as an explicit proxy on the hospital PC. You haven't mentioned but my assumption that this is web traffic so this will work fine. You can also put block-lists on the proxy if you need to; and the explicit proxy configuration will mean that only traffic for example.com will go to the proxy. This method also means you don't need a default route anywhere except in the VPC.
profile pictureAWS
전문가
답변함 3달 전
profile picture
전문가
검토됨 3달 전
profile picture
전문가
검토됨 3달 전
  • Hello.

    Cognito cannot use VPC endpoints as of August 2024, so you must use the public internet for communication from your PC to your Cognito user pool. In other words, if there is no direct communication path from the network where the hospital PC is located to the public internet, you will need to route it to AWS and then use something like NAT Gateway to be able to communicate with the Cognito user pool. I hope that the explanations provided in the following documents will be helpful. https://repost.aws/knowledge-center/site-to-site-vpn-access-internet
    Although it is simple, the structure is as follows. If you use TransitGateway, the configuration will be as follows.
    a

0

Appreciate your help.

Will test and update here with the status. Yes, it is web traffic.

Thank you!

답변함 3달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인