Route Egress Traffic through NAT Gateway to VPN Gateway

Hello,

Unfortunately, the AI generated response to your question is not correct. You can route traffic initiated from the AWS side of the tunnel through a NAT gateway before the tunnel. However, as outlined in this document, the traffic will be NATed to the private IP address of the NAT gateway. The public NAT gateway will only use its public IP as the source IP address when the traffic is routed to an Internet Gateway in the same VPC.

To NAT traffic sent through the tunnel to a public address, you would need to add a CIDR block of public IPs to your VPC.

1. Add a /28 block of public IPs that you own to the VPC.
2. Configure a subnet in the VPC and address it with the public IPs.
3. Deploy a private NAT gateway into the publicly addressed subnet. This will be a private NAT gateway as it will not route traffic to an Internet gateway. The NAT gateway will be assigned one of the public IPs from the subnet.
4. Configure route tables in your workload subnets to route traffic destined for the public server through the NAT gateway.
5. Configure the route table in the NAT gateway subnet to route traffic destined for the public server to the Virtual Private Gateway or Transit Gateway where the VPN tunnel is terminated.
6. Configure routing at the public server side of the VPN tunnel to send traffic destined for the NAT gateway IP through the tunnel.

In this configuration the public CIDR used in the VPC would not be advertised to the Internet and would only be used for private communications within the VPC or across the VPN tunnel. If you don't own any public IPs, you could consider using addresses from the 100.64.0.0/10 shared address space.

To achieve your goal of having traffic initiated from AWS appear with a public IP at the public server, while still using your established IPsec tunnel through Site-to-Site VPN, you'll need to implement a combination of routing and Network Address Translation (NAT). Here's how you can approach this:

1. Set up a NAT Gateway in your VPC: If you haven't already, create a NAT Gateway in a public subnet of your VPC. This will allow instances in private subnets to initiate outbound traffic to the internet.

2. Configure routing: You'll need to adjust your VPC route tables to direct the traffic through the NAT Gateway before it reaches the VPN Gateway.

   • In the route table associated with your private subnets, add a route that sends traffic destined for your on-premises network (the CIDR range of your public server) to the VPN Gateway.
   • Add another route that sends internet-bound traffic (0.0.0.0/0) to the NAT Gateway.

3. VPN Gateway configuration: Ensure your VPN Gateway is correctly configured to route traffic between your VPC and the on-premises network.

4. On-premises configuration: Make sure your on-premises VPN device is configured to accept traffic from the public IP of your NAT Gateway.

By implementing this setup, traffic initiated from your AWS instances will first go through the NAT Gateway, where it will be source NATed to the NAT Gateway's public IP. Then, this traffic will be routed through the VPN Gateway and over the IPsec tunnel to your public server.

It's important to note that while this setup will make the traffic appear to come from a public IP, it will still traverse your Site-to-Site VPN connection, maintaining the security benefits of your VPN while achieving the desired source NAT functionality.

Remember to test thoroughly after implementation to ensure all routing and NAT processes are working as expected.
Sources
AWS Site-to-Site VPN single and multiple VPN connection examples - AWS Site-to-Site VPN
Configure an AWS site-to-site VPN | AWS re:Post

Thanks Cameran for the answer, the steps you provided successfully guided us to send Egress Traffic from our EC2 instance to the on-premise server. Although in Step 6, you mentioned that we can accept inbound traffic (from on-premise server to EC2 instance) through NAT-gatway IP, but we are not able to do that actually, the traffic pass through the Tunnel but doesn't reach the EC2 instance.

Any advice please.