- Newest
- Most votes
- Most comments
Hello.
Yes, the model you're trying to implement is supported by AWS, but there are a few nuances and steps you need to be aware of.
Transit Gateway Route Tables: Make sure that your EU Transit Gateway route table has routes to the APAC and US VPC CIDR blocks that point to the respective Transit Gateway attachments. Similarly, the APAC and US Transit Gateway route tables should have a route to the other company's subnet that points to the EU Transit Gateway attachment.
NAT Gateway: Ensure that the NAT Gateway in your EU VPC has an Elastic IP. This allows it to communicate outside the VPC. In your EU VPC, you should have a route table that points traffic destined for the other company's subnet to the NAT Gateway.
Best regards, Andrii
When you use a NAT Gateway with an Elastic IP, the client will indeed see the public IP address associated with the Elastic IP when traffic originates from any subnet in your VPC (or from connected VPCs, in your architecture) and is routed through the NAT Gateway.
This means the other company, to which you're connecting via VPN, will need to put or accept the public IP address of the NAT Gateway in their firewall or security rules.
ok thanks - I'll implement this solution then
Relevant content
- Accepted Answerasked 4 months ago
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
Thanks a lot Andrii for the fast and thorough response! If my NAT gateway has an elastic IP, does it mean the client will see (and need to accept) the public IP, or can I still use my private /27 subnet?
Hi Andrii, I submitted a new question here: https://repost.aws/questions/QUS5s5rPTGS7mjbsxOX91_xg/use-public-nat-for-vpn-connection
But I can't make the Public NAT Gateway solution work, if I set up the NAT Gateway as the network route, the traffic doesn't seem to go to the transit gateway. Can you confirm that how it should be done?