- Newest
- Most votes
- Most comments
To establish a site-to-site VPN connection from your on-premises network to AWS servers while avoiding IP conflicts, you can implement a one-to-one NAT (Network Address Translation) mapping in AWS. Here's a step-by-step guide to achieve this:
-
Set up the AWS Site-to-Site VPN:
- Create a Customer Gateway in AWS, using the public IP address of your on-premises VPN device.
- Create a Virtual Private Gateway and attach it to your VPC.
- Create a VPN Connection, specifying the Customer Gateway and Virtual Private Gateway.
-
Configure NAT in AWS:
- Create a NAT Gateway or NAT instance in your VPC.
- Configure route tables to direct traffic from your VPN connection through the NAT Gateway/instance.
-
Set up one-to-one NAT mapping:
- Use AWS Network Address Translation (NAT) to map the 10.10.0.0/16 range to 172.17.0.0/16.
- Configure your on-premises firewall to translate addresses in the 172.17.0.0/16 range to the corresponding addresses in the 10.10.0.0/16 range when sending traffic to AWS.
-
Update routing:
- In your AWS VPC route table, add a route for 172.17.0.0/16 pointing to the Virtual Private Gateway.
- On your on-premises network, add a route for 172.17.0.0/16 pointing to your VPN device.
-
Configure security groups:
- Update the security groups for your AWS resources to allow traffic from the 172.17.0.0/16 range.
-
Test the connection:
- Verify connectivity between your on-premises network (192.168.1.0/24) and the AWS servers using the 172.17.0.0/16 range.
Remember to adjust your firewall rules and NAT configurations on both ends to ensure proper translation and routing of traffic. Also, make sure to test thoroughly to confirm that the one-to-one mapping is working correctly and there are no conflicts with the existing IP ranges.
Sources
Configure an AWS site-to-site VPN | AWS re:Post
Get started with AWS Site-to-Site VPN - AWS Site-to-Site VPN
VPN Setup - AMS Advanced Onboarding Guide
VPN setup - AMS Advanced Onboarding Guide
There is a nice Article here explaining how to do it
Not answering the question but I would not do this (1:1 NAT). While it will work it the long run it is more expensive and it will most probably lead to "interesting" (and that's not good interesting) consequences with edge cases where protocols don't play nicely with NAT. Plus you'll have to deal with DNS as well - the NAT solution might do that for you but it might not too.
Although it's difficult, renumber the network at the AWS end. That's hard work but it is worth it in the end.
Relevant content
- Accepted Answerasked 10 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
I'm new to AWS and didn’t fully understand. Could you please explain with more details, similar to how it's configured in AWS?
Thanks