TechQA.

AWS Client VPN with a Fixed IP

6.9k views Asked by At

In order to give our Developers access to IP Restricted internal and partner applications i'm setting up AWS Client VPN. I've manage to get everything running even with Internet access. As expected the Public IP is changing.

I've created an NAT Gateway, assigned an Elastic IP and changed the route of the Subnet to use the NAT Gateway instead of the Internet Gateway to reach the internet (0.0.0.0/0).

The problem now is, that clients can't reach the internet at all once connected to the VPN. What part am i missing to get internet access working again and using the NAT Gateway with the static ip?

The Setup is absolutely basic. 1 new VPC, 1 Subnet, 1 Client VPN Endpoint, 1 Security Group.

amazon-web-services vpn amazon-vpc aws-vpn
Original Q&A
2

There are 2 answers

1
tyron On BEST ANSWER

Your setup is very common and there's probably just a simple mistake. The pattern you are following is the private/public subnet, even though these terms are not used that much in AWS.

When you have a subnet that is configured to use a NAT Gateway (as the 0.0.0.0/0 route on the route table), that subnet can be referred as a "private subnet", as there will be no direct access from Internet to it.

But the NAT Gateway itself needs to be placed on a "public subnet", i.e. needs to be in a subnet where the default route 0.0.0.0/0 goes to an Internet Gateway. (Not in the scope of your question, but that's the same common mistake done with Load Balancers. If you have a LB that should serve users in the internet, even if your servers are in a private subnet, the LB needs to be deployed to a public subnet).

So to summarize:

| Subnet # | Type    | Default Route (route table)   | What to place here? |
|----------|---------|-------------------------------|---------------------|
| 1        | Public  | 0.0.0.0/0 -> Internet Gateway | NAT Gateway         |
| 2        | Private | 0.0.0.0/0 -> NAT Gateway      | Users' applications |
0
Oscar De León On

You need to have a route from your NAT Gateway to your Internet Gateway, otherwise whoever is routing traffic to the NAT Gateway is not really reaching the Internet.

Please, have a look at the pattern at https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html#VPC_Scenario2_Routing for accessing the Internet.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in VPN

Related Questions in AMAZON-VPC

Related Questions in AWS-VPN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions