使用AWS re:Post即您表示您同意 AWS re:Post 使用条款

From hospital isolated networks through IPsec VPN AWS, EC2 instance then a specific site which use Cognito

0

Hi support,

Appreciate your help.

Summary: We want to access "example.com" from PCs, subnets in a hospital network that does not have a direct gateway to the internet through an AWS environment that has internet access via a VPN. Hospital PCs need to access a specific site, lets say "example.com", which is using Cognito. VPN connection is established. Can ping bidirectionally.

Details: Rough nw diagram Hospital PC ++++++ L3Device +++++++ VPN device and FW ++++++ cloud +++++++ AWS VPN endpoint VPC +++++++ EC2 instance ++++++++ internet

Hospital PC has default gw to L3 device. L3 device to the VPN device and fw. VPN device has static routes to the private addresses in AWS side. VPN connection is established. Can ping bidirectionally from PC to EC2 instance.

Hospital PCs need to access a specific site, lets say "example.com",which is using Cognito. Traffic needs to go through the VPN, then EC2 instance and to the internet.

What we did: 1 Configured nginx in the EC2 instance. Hosts file in the hospital PCs pointing to the EC2 instance web server. But does not work as expected from the hospital PCs. Certificate issues with Cognito and nginx errors.

2 Configured RDP server in the EC2 instance. Established RDP connection from the hospital PCs. Using Chrome browser to ignore certificate errors. But the RDP connection has some limitations operationally.

What we want to do

1 Configure the EC2 instance as a router and NAT device. default route to the EC2 instance though VPN.

2 VPC peering between hospital VPC and example.com VPC.

What will be other architecture alternatives? Can you please help?

Thank you!

2 回答
1
已接受的回答

The short answer is that this won't work as designed because of the way VPC routing works - it is non-transitive so you can't have traffic coming from a VPN connection going to the internet (even if it is being sent through the Nginx instance). It looks like it should work but it won't.

You can make it work in two different ways:

  • Use a Transit Gateway: Connect the VPN and VPC to the Transit Gateway. Transit Gateway is designed to behave like a router so things will "just work". However, there is extra cost there.
  • Explicit proxy: Configure Nginx as a proxy (I'm not sure if you can do this or not; if not, using something like Squid); set up the instance as an explicit proxy on the hospital PC. You haven't mentioned but my assumption that this is web traffic so this will work fine. You can also put block-lists on the proxy if you need to; and the explicit proxy configuration will mean that only traffic for example.com will go to the proxy. This method also means you don't need a default route anywhere except in the VPC.
profile pictureAWS
专家
已回答 3 个月前
profile picture
专家
已审核 3 个月前
profile picture
专家
已审核 3 个月前
  • Hello.

    Cognito cannot use VPC endpoints as of August 2024, so you must use the public internet for communication from your PC to your Cognito user pool. In other words, if there is no direct communication path from the network where the hospital PC is located to the public internet, you will need to route it to AWS and then use something like NAT Gateway to be able to communicate with the Cognito user pool. I hope that the explanations provided in the following documents will be helpful. https://repost.aws/knowledge-center/site-to-site-vpn-access-internet
    Although it is simple, the structure is as follows. If you use TransitGateway, the configuration will be as follows.
    a

0

Appreciate your help.

Will test and update here with the status. Yes, it is web traffic.

Thank you!

已回答 3 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则