By using AWS re:Post, you agree to the AWS re:Post Terms of Use

VPN Setup and One-to-One NAT Mapping in AWS - How to practically do in AWS to onprem Firewall

0

Hi Team,

I am encountering an issue with our on-premises network firewall. We have a local network in the range of 10.10.0.0/16, along with additional ranges like 10.11.0.0/16, 192.168.1.0/24, and 192.168.2.0/24. Our client has servers in AWS that also use the 10.10.0.0/16 subnet.

I would like to establish a site-to-site VPN connection from our on-premises network (192.168.1.0/24) to the AWS servers (10.10.0.0/16) without any conflicts. Instead of using the 10.10.0.0/16 range, I prefer to utilize the 172.17.0.0/16 range for this connection.

Could you please guide me on how to implement one-to-one mapping using NAT in AWS? Specifically, I need assistance with the configuration required to connect to the 10.10.0.0/16 servers while using the 172.17.0.0/16 range. Any help would be greatly appreciated!

Thank you!

1 Answer
2

There's no classical one-to-one NAT in AWS VPCs. You can achieve something similar with mechanisms like load balancers or VPC endpoints, but they come with limitations and added costs. For example, you could create a separate VPC or additional subnets in your existing VPC with the preferred IP range, and place an NLB there to forward the connections to the real IPs of the target machines. However, that won't work with applications that refer to themselves or each other with IP addresses or certain other special situations, and both the NLB and traffic passing through it will incur additional costs. Also systems with changing IP addresses or AWS-managed DNS names can be hard to manage with address translation.

Your best option would be to place your AWS workloads in a VPC and subnets that have the proper IP addresses.

If that isn't possible, the second-best option would be to do the necessary address translation on the on-premises firewall.

To avoid needless IP conflicts, I'd advise sizing your VPCs and subnets properly, both in the cloud and on premises. A /16 contains 65,536 IP addresses, but it sounds likely you only have a handful of servers or other workloads in your VPC. You'd do better allocating a /22 (1,024 IPs) for the VPC, with perhaps a /25 per AZ for each private subnet and a /26 or /25 per public subnet.

With /16 allocations, each only containing a handful of IPs, you'll quickly run out of IP addresses and typically continuously run into overlapping addresses. At the /16 size, there are only 256 CIDR blocks in the entire 10.* address range.

EXPERT
answered 24 days ago
profile picture
EXPERT
reviewed 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions