Use Public NAT for VPN connection

Hello Alx,

Referring https://repost.aws/questions/QUXOVWxXXrTDquDf54D27yrQ/use-nat-gateway-behind-a-transit-gateway , I understand you can already reach from EU VPC to the Client Subnet via NAT Gateway IP (this would be the Private IP of the NAT Gateway in the /27 subnet , which the Client will see from their end. Public/Elastic IP is not used unless traffic goes through Internet Gateway, so I would like to correct the answer posted on previous question)

Now coming to: APAC VPC -> APAC Transit gateway -- TGW Peering -- EU Transit Gateway -> EU VPC -> Route via NAT Gateway of the /27 subnet -> Transit gateway -> Client subnet

1. Make sure APAC VPC subnets have Route: Client subnet --> APAC Transit Gateway
2. On APAC Transit Gateway the APAC VPC attachment Route table: Client subnet --> EU Transit Gateway via TGW Peering
3. On EU Transit Gateway Peering attachment Route table: Client subnet --> EU VPC attachment

Next, EU Transit Gateway would be sending traffic to 'associated' subnets of EU VPC. Traffic would be checked against the associated subnet's route table. The associated subnet should NOT be the /27 subnet as this would mess up routing and skip the NAT Gateway. Associated subnet should be the other subnets in EU VPC, which already have the following Route: Client subnet --> Nat Gateway.

If the above is taken care of, you can reach from APAC VPC to Client Subnet. Make sure the routes are also in place for return traffic to reach the APAC VPC from the Client Subnet.

Feel free to ask any additional clarifying questions and we'd be happy to answer.