- Newest
- Most votes
- Most comments
There's no classical one-to-one NAT in AWS VPCs. You can achieve something similar with mechanisms like load balancers or VPC endpoints, but they come with limitations and added costs. For example, you could create a separate VPC or additional subnets in your existing VPC with the preferred IP range, and place an NLB there to forward the connections to the real IPs of the target machines. However, that won't work with applications that refer to themselves or each other with IP addresses or certain other special situations, and both the NLB and traffic passing through it will incur additional costs. Also systems with changing IP addresses or AWS-managed DNS names can be hard to manage with address translation.
Your best option would be to place your AWS workloads in a VPC and subnets that have the proper IP addresses.
If that isn't possible, the second-best option would be to do the necessary address translation on the on-premises firewall.
To avoid needless IP conflicts, I'd advise sizing your VPCs and subnets properly, both in the cloud and on premises. A /16 contains 65,536 IP addresses, but it sounds likely you only have a handful of servers or other workloads in your VPC. You'd do better allocating a /22 (1,024 IPs) for the VPC, with perhaps a /25 per AZ for each private subnet and a /26 or /25 per public subnet.
With /16 allocations, each only containing a handful of IPs, you'll quickly run out of IP addresses and typically continuously run into overlapping addresses. At the /16 size, there are only 256 CIDR blocks in the entire 10.* address range.
Relevant content
- Accepted Answerasked 10 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
+1 to setting up the network without overlaps - it saves complexity, cost and time. Ref: https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/
If you absolutely have to do this, a third-party VPN/NAT appliance in the VPC is the way to go.