使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款

From hospital isolated networks through IPsec VPN AWS, EC2 instance then a specific site which use Cognito

0

Hi support,

Appreciate your help.

Summary: We want to access "example.com" from PCs, subnets in a hospital network that does not have a direct gateway to the internet through an AWS environment that has internet access via a VPN. Hospital PCs need to access a specific site, lets say "example.com", which is using Cognito. VPN connection is established. Can ping bidirectionally.

Details: Rough nw diagram Hospital PC ++++++ L3Device +++++++ VPN device and FW ++++++ cloud +++++++ AWS VPN endpoint VPC +++++++ EC2 instance ++++++++ internet

Hospital PC has default gw to L3 device. L3 device to the VPN device and fw. VPN device has static routes to the private addresses in AWS side. VPN connection is established. Can ping bidirectionally from PC to EC2 instance.

Hospital PCs need to access a specific site, lets say "example.com",which is using Cognito. Traffic needs to go through the VPN, then EC2 instance and to the internet.

What we did: 1 Configured nginx in the EC2 instance. Hosts file in the hospital PCs pointing to the EC2 instance web server. But does not work as expected from the hospital PCs. Certificate issues with Cognito and nginx errors.

2 Configured RDP server in the EC2 instance. Established RDP connection from the hospital PCs. Using Chrome browser to ignore certificate errors. But the RDP connection has some limitations operationally.

What we want to do

1 Configure the EC2 instance as a router and NAT device. default route to the EC2 instance though VPN.

2 VPC peering between hospital VPC and example.com VPC.

What will be other architecture alternatives? Can you please help?

Thank you!

已提問 3 個月前檢視次數 128 次
2 個答案
1
已接受的答案

The short answer is that this won't work as designed because of the way VPC routing works - it is non-transitive so you can't have traffic coming from a VPN connection going to the internet (even if it is being sent through the Nginx instance). It looks like it should work but it won't.

You can make it work in two different ways:

  • Use a Transit Gateway: Connect the VPN and VPC to the Transit Gateway. Transit Gateway is designed to behave like a router so things will "just work". However, there is extra cost there.
  • Explicit proxy: Configure Nginx as a proxy (I'm not sure if you can do this or not; if not, using something like Squid); set up the instance as an explicit proxy on the hospital PC. You haven't mentioned but my assumption that this is web traffic so this will work fine. You can also put block-lists on the proxy if you need to; and the explicit proxy configuration will mean that only traffic for example.com will go to the proxy. This method also means you don't need a default route anywhere except in the VPC.
profile pictureAWS
專家
已回答 3 個月前
profile picture
專家
已審閱 3 個月前
profile picture
專家
已審閱 3 個月前
  • Hello.

    Cognito cannot use VPC endpoints as of August 2024, so you must use the public internet for communication from your PC to your Cognito user pool. In other words, if there is no direct communication path from the network where the hospital PC is located to the public internet, you will need to route it to AWS and then use something like NAT Gateway to be able to communicate with the Cognito user pool. I hope that the explanations provided in the following documents will be helpful. https://repost.aws/knowledge-center/site-to-site-vpn-access-internet
    Although it is simple, the structure is as follows. If you use TransitGateway, the configuration will be as follows.
    a

0

Appreciate your help.

Will test and update here with the status. Yes, it is web traffic.

Thank you!

已回答 3 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南