By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use NAT Gateway behind a transit gateway

0

Hi,

I couldn't find any posts that really answered this point, but I apologise in advance if the question was already asked.

Basically:

  • We have an AWS EU Region that connects to another company via VPN (transit gateway)
  • This company only allows us a single /27 subnet, which we've picked from the main EU VPC
  • All the subnets of our EU VPC can access the other company subnets using a natting gateway, that belongs to the /27 subnet mentioned below
  • This works fine for all the EU Subnets, but we recently added new AWS regions in APAC and US
  • The APC and US VPCs are linked to the EU one also using transit gateway peering.
  • I can successfully communicate between regions, but I don't seem to be able to access the other company subnet from the other regions

So, before troubleshooting further I was wondering if I could have the below flow working with AWS:

APAC VPC -> Transit gateway -> EU Subnets -> Route via NAT Gateway of the /27 subnet -> Transit gateway -> Client subnet

The part from "EU Subnets" already works, and I added a route to the client subnet from the APAC subnet via the EU Transit gateway.

If this model is not supported by AWS, is there a recommended way of achieving it?

Thanks for your help, Alex

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCNetworking & Content DeliveryAWS Transit GatewaySecurity
Language
English
alx
asked 7 months ago520 views
2 Answers
0
Accepted Answer

Hello.

Yes, the model you're trying to implement is supported by AWS, but there are a few nuances and steps you need to be aware of.

Transit Gateway Route Tables: Make sure that your EU Transit Gateway route table has routes to the APAC and US VPC CIDR blocks that point to the respective Transit Gateway attachments. Similarly, the APAC and US Transit Gateway route tables should have a route to the other company's subnet that points to the EU Transit Gateway attachment.

NAT Gateway: Ensure that the NAT Gateway in your EU VPC has an Elastic IP. This allows it to communicate outside the VPC. In your EU VPC, you should have a route table that points traffic destined for the other company's subnet to the NAT Gateway.

Best regards, Andrii

profile picture
EXPERT
Andrii S
answered 7 months ago
profile picture
EXPERT
Gary Mclean
reviewed 7 months ago
  • alx
    7 months ago

    Thanks a lot Andrii for the fast and thorough response! If my NAT gateway has an elastic IP, does it mean the client will see (and need to accept) the public IP, or can I still use my private /27 subnet?

  • alx
    7 months ago

    Hi Andrii, I submitted a new question here: https://repost.aws/questions/QUS5s5rPTGS7mjbsxOX91_xg/use-public-nat-for-vpn-connection

    But I can't make the Public NAT Gateway solution work, if I set up the NAT Gateway as the network route, the traffic doesn't seem to go to the transit gateway. Can you confirm that how it should be done?

0

When you use a NAT Gateway with an Elastic IP, the client will indeed see the public IP address associated with the Elastic IP when traffic originates from any subnet in your VPC (or from connected VPCs, in your architecture) and is routed through the NAT Gateway.

This means the other company, to which you're connecting via VPN, will need to put or accept the public IP address of the NAT Gateway in their firewall or security rules.

profile picture
EXPERT
Andrii S
answered 7 months ago
  • alx
    7 months ago

    ok thanks - I'll implement this solution then

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content