Routing between Windows EC2 RAS Server and S2S Tunnel on-prem

Question

Hello ,we've setup EC2 Windows server working as RAS which provides Always On VPN functionality to remote users and allots IP in range 10.0.0.0/24. This RAS server is domain joined to our AWS Managed Microsoft AD. The AWS VPC is 172.31.0.0/16 and our on-prem network is on subnet 192.168.2.0/24. We've also setup a S2S VPN tunnel between on-prem and AWS. We are able to ping AWS VPC resources from on-prem. From AWS VPC also we are able to ping on-prem devices and also RAS VPN clients. From RAS VPN clients we are able to ping AWS VPC resources. 
However we aren't able to ping on-prem IPs from RAS VPN Clients. neither can we ping RAS VPN clients from on-prem.

We've added routes in AWS VPC's route table. Our on-prem firewall also has routes and access rules enabled for RRAS IP range. The interface of the RAS EC2 also has the destination check disabled. Any thoughts on how to fix this?

Nihal · Answer

If you're using a Virtual Private Gateway for an S2S VPN connection, it can't determine how to route traffic to 10.0.0.0/24 (RRAS IP range) since it doesn't reference the subnet route table, as it's not part of any subnet.

However, with a Transit Gateway (TGW) VPN, you can add static routes to 10.0.0.0/24 in the route table associated with the subnet where TGW is connected to the VPC. Relying on a single EC2 instance for remote access VPN may impact resiliency. Consider more scalable options like AWS Client VPN. You can explore relevant architectures here:

[https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-client-vpn-to-scale-your-work-from-home-capacity/](https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-client-vpn-to-scale-your-work-from-home-capacity/)

Routing between Windows EC2 RAS Server and S2S Tunnel on-prem

Relevant content