Login/Register
AWS Client VPN with a Fixed IP
Asked Answered
Solved amazon-web-servicesvpnamazon-vpcaws-vpn
L

2

5

In order to give our Developers access to IP Restricted internal and partner applications i'm setting up AWS Client VPN. I've manage to get everything running even with Internet access. As expected the Public IP is changing.

I've created an NAT Gateway, assigned an Elastic IP and changed the route of the Subnet to use the NAT Gateway instead of the Internet Gateway to reach the internet (0.0.0.0/0).

The problem now is, that clients can't reach the internet at all once connected to the VPN. What part am i missing to get internet access working again and using the NAT Gateway with the static ip?

The Setup is absolutely basic. 1 new VPC, 1 Subnet, 1 Client VPN Endpoint, 1 Security Group.

Lanilaniard answered 16/10, 2020 at 9:47 Comment(0)
M
6

Your setup is very common and there's probably just a simple mistake. The pattern you are following is the private/public subnet, even though these terms are not used that much in AWS.

When you have a subnet that is configured to use a NAT Gateway (as the 0.0.0.0/0 route on the route table), that subnet can be referred as a "private subnet", as there will be no direct access from Internet to it.

But the NAT Gateway itself needs to be placed on a "public subnet", i.e. needs to be in a subnet where the default route 0.0.0.0/0 goes to an Internet Gateway. (Not in the scope of your question, but that's the same common mistake done with Load Balancers. If you have a LB that should serve users in the internet, even if your servers are in a private subnet, the LB needs to be deployed to a public subnet).

So to summarize:

| Subnet # | Type    | Default Route (route table)   | What to place here? |
|----------|---------|-------------------------------|---------------------|
| 1        | Public  | 0.0.0.0/0 -> Internet Gateway | NAT Gateway         |
| 2        | Private | 0.0.0.0/0 -> NAT Gateway      | Users' applications |
Macaluso answered 26/10, 2020 at 3:14 Comment(1)
perfect! That solved the issue! Thank you very much.Lanilaniard
C
1

You need to have a route from your NAT Gateway to your Internet Gateway, otherwise whoever is routing traffic to the NAT Gateway is not really reaching the Internet.

Please, have a look at the pattern at https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html#VPC_Scenario2_Routing for accessing the Internet.

Camfort answered 25/10, 2020 at 23:42 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.