By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use Public NAT for VPN connection

0

Hi,

I'm following the answer on https://repost.aws/questions/QUXOVWxXXrTDquDf54D27yrQ/use-nat-gateway-behind-a-transit-gateway

I have created a public NAT IP accordingly, and added a route in my relevant subnets to access the client target subnet using the NAT gateway.

However, the traffic doesn't go through the VPN.

Basically:

  • We need to access subnet #2 from subnet #1, using "Public NAT IP Geteway".

My configuration goes as suggested: Subnet #1 with routing to subnet #2 via "Public NAT IP Gateway" -> Transit gateway -> Client subnet

However, it doesn't look like the subnet #1 is actually reaching the client subnet, as my routing goes through a NAT Gateway instead of the Transit gateway.

Do I need to take extra steps to ensure AWS understands my traffic needs to go through the Transit gateway?

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCNetworking & Content DeliveryAWS Transit GatewaySecurity
Language
English
alx
asked 7 months ago257 views
1 Answer
0
Accepted Answer

Hello Alx,

Referring https://repost.aws/questions/QUXOVWxXXrTDquDf54D27yrQ/use-nat-gateway-behind-a-transit-gateway , I understand you can already reach from EU VPC to the Client Subnet via NAT Gateway IP (this would be the Private IP of the NAT Gateway in the /27 subnet , which the Client will see from their end. Public/Elastic IP is not used unless traffic goes through Internet Gateway, so I would like to correct the answer posted on previous question)

Now coming to: APAC VPC -> APAC Transit gateway -- TGW Peering -- EU Transit Gateway -> EU VPC -> Route via NAT Gateway of the /27 subnet -> Transit gateway -> Client subnet

  1. Make sure APAC VPC subnets have Route: Client subnet --> APAC Transit Gateway
  2. On APAC Transit Gateway the APAC VPC attachment Route table: Client subnet --> EU Transit Gateway via TGW Peering
  3. On EU Transit Gateway Peering attachment Route table: Client subnet --> EU VPC attachment

Next, EU Transit Gateway would be sending traffic to 'associated' subnets of EU VPC. Traffic would be checked against the associated subnet's route table. The associated subnet should NOT be the /27 subnet as this would mess up routing and skip the NAT Gateway. Associated subnet should be the other subnets in EU VPC, which already have the following Route: Client subnet --> Nat Gateway.

If the above is taken care of, you can reach from APAC VPC to Client Subnet. Make sure the routes are also in place for return traffic to reach the APAC VPC from the Client Subnet.

Feel free to ask any additional clarifying questions and we'd be happy to answer.

profile pictureAWS
EXPERT
Karthikiran Ilango
answered 7 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • alx
    7 months ago

    Thanks Karthikiran, I could test and it works perfectly!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content