- Newest
- Most votes
- Most comments
An unassigned Elastic IP (EIP) will not work as a non-publicly routable encryption domain for your VPN server. Elastic IPs are designed to be publicly routable addresses, and they need to be associated with an instance or network interface to function properly. An unassigned EIP is simply reserved for your account but not actively usable until associated with a resource.
Since the connection IP will already be a public IP of your VPN server to which your customer establishes the tunnel, For the encryption domain public IP, you can perform the following.
If you need to use public IPs for the encryption domain, you could associate a secondary CIDR block from any public range to your existing VPC and even though the IP's are public it will serve as a Private Network. You can then do the following:
- Configure a subnet with the public CIDR range.
- Deploy resources in this subnet or create and attach another interface from the public CIDR range subnet to your existing VPN server instance and use the public IP as an encryption domain.
- Configure appropriate routing to direct traffic through your VPN.
Important considerations for your setup:
-
Security Groups: Ensure they allow the necessary traffic between your VPN server and the resources that need to communicate through it.
-
nftables: Configure rules to properly forward traffic between the public connection IP and your internal network.
-
VPC level: Make sure your route tables are configured to direct traffic appropriately through the VPN connection.
-
Subnet configuration: Your VPN endpoint needs to be in a public subnet with a route to an Internet Gateway if you're using public IPs.
Sources
Elastic IP is not publicly accessible. | AWS re:Post
