In order to give our Developers access to IP Restricted internal and partner applications i'm setting up AWS Client VPN. I've manage to get everything running even with Internet access. As expected the Public IP is changing.
I've created an NAT Gateway, assigned an Elastic IP and changed the route of the Subnet to use the NAT Gateway instead of the Internet Gateway to reach the internet (0.0.0.0/0).
The problem now is, that clients can't reach the internet at all once connected to the VPN. What part am i missing to get internet access working again and using the NAT Gateway with the static ip?
The Setup is absolutely basic. 1 new VPC, 1 Subnet, 1 Client VPN Endpoint, 1 Security Group.
Your setup is very common and there's probably just a simple mistake. The pattern you are following is the private/public subnet, even though these terms are not used that much in AWS.
When you have a subnet that is configured to use a NAT Gateway (as the
0.0.0.0/0
route on the route table), that subnet can be referred as a "private subnet", as there will be no direct access from Internet to it.But the NAT Gateway itself needs to be placed on a "public subnet", i.e. needs to be in a subnet where the default route
0.0.0.0/0
goes to an Internet Gateway. (Not in the scope of your question, but that's the same common mistake done with Load Balancers. If you have a LB that should serve users in the internet, even if your servers are in a private subnet, the LB needs to be deployed to a public subnet).So to summarize: