By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

connection continuity from on-prem to vPC at extra hop

0

Hi All,

Would like to know what's the concept behind this:

My network topology source : machine behind reverse proxy (NGINX) locate at on-prem , using customer gateway doing IPSec VPN tunnel to reach either (a) virtual private gateway or (b)transit gateway at AWS vPC-A

Then from vpC-A's will using AWS PrivateLink to reach target EC2 at vPC-B

Question: first part the traffic from op-prem to reach the vPC-A , once the vpn terminate at either (a)virtual private gateway or (b)transit gateway, what action needed to ensure the traffic from vPC-A able to reach vPC-B using privatelink?

What need to configure on AWS?

Thanks

Noel

Topics
Networking & Content Delivery
Tags
Networking & Content DeliveryAWS PrivateLink
Language
English
Olive Noel
asked 10 months ago235 views
4 Answers
0

Yo Gary,

Thanks for the reply. Basically i am new with AWS.

There's no issue from onprem to vPC-A, from your statement just route statement between vPC-A to vPC-B will do , am i correct?

Thanks

Noel

Olive Noel
answered 10 months ago
  • Gary Mclean EXPERT
    10 months ago

    No routing between a and b needed if using private link.

    Is that setup in your question your actual requirement?

  • Gary Mclean EXPERT
    10 months ago

    There are a few soluitions depending on your requirements..

    1. Do you want to route traffic From VPC-A to VPC-B?
    2. Do you want to use private link from VPC-A to VPC-B?
    3. Do you want to Peer VPC-a and VPC-b to the Private Gateway where the VPN terminates so you can access BOTH VPC's via VPN?
0

Or maybe i re-organize, using transit gateway then

  1. attached the IPSec VPN to vPC-a Transit-Gateway,

Question. How vPC-a can carry the VPN from endpoint to reach vPC-b? i want to ensure the traffic not splitting.

Thanks

Olive Noel
answered 10 months ago
  • Gary Mclean EXPERT
    10 months ago

    There are a few soluitions depending on your requirements..

    1. Do you want to route traffic From VPC-A to VPC-B?
    2. Do you want to use private link from VPC-A to VPC-B?
    3. Do you want to Peer VPC-a and VPC-b to the Private Gateway where the VPN terminates so you can access BOTH VPC's via VPN?
0

You need to ensure you have routes for the subnet where the private link endpoint service is setup within VPC-A

Additionally routes in vpc-a to route to on prem via VPG and routes on prem to route to vpc-a via the vpn. Same applies for the transit gateway, the routes need to exist.

Subnets in vpc-a and security group where the endpoint is setup needs to allow the on prem source addresses /network cidr

Have you thought about just connecting your VPGW to vpc-b or do you want to keep this environment isolated? Using private link allows isolation and limit/control access via a NLB with private link. There’s no need to have routing setup from VPC-B in your setup to VPC-A or on prem

profile picture
EXPERT
Gary Mclean
answered 10 months ago
0

hi

unfortunately, vPC-b only allow traffic from AWS/Public cloud.

Tha'ts why vPC-A exist, as the transit purpose.

But what i not understand is, if i terminate the VPN at vPC-a, so from here route to vPC-b then? How to relay the traffic from vPC-a to vPC-b then?

Noel

Olive Noel
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content