- Newest
- Most votes
- Most comments
You’re going to have to create a NLB in the EKS vpc pointing to the ALB and then use private link to make the NLB available to the gateway VpC.
In the gateway VPC you have to create an endpoint service attached to your private link service you have created.
Create a DNS record alias pointing to the endpoint service you have created in the gateway vpc so that onprem machines can resolve.
Hello Demenjazi,
As Matt mentioned, NAT instance in VPC1 is one way to do it. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#basics
Or you can create the NLB-ALB in VPC2 and create an Endpoint Service (AWS Private Link) in VPC2 with NLB as Target. An Interface Endpoint can then be created in VPC1 which consumes the Endpoint Service from VPC2. This Interface Endpoint in VPC1 can be accessed from On-premise through VPN connection.
https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html
Not sure how the ALB can help here. If you don't want to define the encryption domain of VPC2 10.2.0.0/24, then the Site-to-Site VPN connection will not carry any traffic for that CIDR. What you could do (but need testing and deep dive into your architecture to see if this will even work) is to use a Linux NAT machine in VPC1, NAT the traffic of 10.2.0.0/24 to 10.1.x.x/32, routing from VPC2 to on-prem would need to be configured so that it can go through VPC1, and separate TGW route table might be needed.
ALB is provision by ingress for the web applications in my EKS, I want web apps to be accessible only form our on-prem networks.
What I want to achieve is to reach applications in VPC 10.144 form my on-prem network, while I have only route to 10.159 (decided by network team). I use Route53 with public zone for the web apps. What would be the optimal solution? NAT Gateway EC2 instance in GatewayVPC is not an option. Picture is not ideal, I apologies foe that.
Note. I tired with VPC peering, create NLB in 10.159 and Target group type Application LB in VPC144, but those 2 can't see each other.
Relevant content
- Accepted Answerasked 7 months ago
- asked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Can you share some example with diagram somewhere? 2nd solution could be a solution in my case.
I've referenced the blogpost - https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/
Consumer VPC would be VPC1 in your case and Service provider VPC would be VPC2.
AWS PrivateLink concepts https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html
I was going to suggest this approach too.
Should be disadvantages if I just add route to VPC2 in my VPN tunnel? What should be the best practice? Thank you for sharing documentation, but looks like we'll need couple of more services to make this work which also increase costs.
If you are using a Static (policy based) VPN, AWS limits the number of Networks (Security Associations) to a Single pair (One CIDR for On-premise and One CIDR for AWS network). So you need to configure your Customer gateway's (CGW) Encryption domain to allow a summarized CIDR for AWS network eg: 10.0.0.0/14 (which covers IPs 10.0.0.1 to 10.3.255.254) to pass through the VPN tunnel.
Refer - https://repost.aws/knowledge-center/vpn-connection-instability
If you are using a BGP based VPN, you can simply add 10.2.0.0/24 as another destination to use the VPN tunnel from Customer Gateway device.