Can I route Internet traffic of EC2 server through AWS virtual private gateway and out from on-premise firewall (Gateway) ?

0

Hi guys,

I want to route my EC2 Internet traffic through VPN and out from on-premise firewall (FortiGate). My EC2 is in private subnet. There is no IGW. It's able to connect to my on-premise network via VPN and vice versa. However, EC2 is unable to reach the Internet.

My route table as below. 0.0.0.0/0 vgwxxxx 172.16.1.0/24 local

Security Group - ALL Allow ACL - ALL Allow

From my testing and troubleshooting. If I Ping to 8.8.8.8 from EC2, I can see ping (request/reply) traffic in VPN tunnel interface in the firewall. In EC2, I can only see ping request traffics, however no ping reply traffics are captured.

Note: deleted and recreated EC2, VPC, Subnet, VPN gateway, route table, reconfigure VPN setting in firewall. But, still the same result.

Is there any limitation in Virtual Private Gateway for Internet traffic ? Or is there any way to fix my issue ? Thank you.

已提问 2 年前626 查看次数
2 回答
0

This should technically work. See below from the FAQ, I suggest check the end-to-end forward and reverse routing:

https://aws.amazon.com/vpn/faqs/

Q: What are the VPN connectivity options for my VPC?

A: You may connect your VPC to your corporate data center using a Hardware VPN connection via the virtual private gateway.

Q: How do instances without public IP addresses access the Internet?

A: Instances without public IP addresses can access the Internet in one of two ways:

Instances without public IP addresses can route their traffic through a network address translation (NAT) gateway or a NAT instance to access the internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the internet to initiate a connection to the privately addressed instances.

For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.

profile pictureAWS
专家
已回答 2 年前
  • Thanks for your comment and info. Yes. This should technically work.

0

Hi,

Considering you are seeing the ICMP/Ping request/reply pair in your VTI on your firewall, I would start by confirming that your VPC route for 172.16.1.0/24 does indeed route towards AWS over VPN to your Virtual Private Gateway. I would next check the NACL at the border of your VPC. If traffic is flowing outbound correctly, the NACL may need an entry for the return traffic. NACLs are stateless by nature so you must account for the return traffic, in this case the ICMP/Ping reply. Please let us know how it goes. Hope this helps!

AWS
已回答 2 年前
  • Thanks for your comment. Like I mentioned, NACL and Security Group are Allowed all traffic. I double checked NACL and recreated new NACL for testing. However, result is still the same. I also run Reachability Analyzer. Status is Reachable and state is Succeeded (both forward and reverse path). Is any other setting blocking the EC2 instance ? I created new instance and tested, too.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则