2

I'm trying to configure an AWS VPC with a public subnet and hardware VPN access, but I have a requirement that connections over the VPN must be able to connect to a particular EC2 instance using a public IP address, not the instance's private IP address.

I read in the VPC FAQ that it is not possible to connect to Elastic IP addresses over the VPN, but found another suggestion that involves the following steps:

  1. Reserve an Elastic IP (but don't attach it to an instance).
  2. Route / map requests to the public Elastic IP address to the instance's private IP.

Will this approach work? If so, how do I achieve the second step of mapping the public Elastic IP to the instance's private IP using the AWS console? For this configuration to work, are there any configuration changes that I need to make when setting up the hardware VPN as described in the Amazon guide that I've been using? Thanks in advance for any pointers.

Edit:

Just did a quick test, and I was able to create an Amazon VPN with static routing and specify an IP prefix in the form of a full IP address, such as 203.0.113.5/32. I'm hoping the fact that the management console didn't complain about the format is a positive sign. Any ideas how I might configure the routing table?

peatb
  • 121
  • 5
  • It sounds like the routing and natting that would be done in the link you cited is done by the vendor's "VNS3" product, which would be running on its own instance and providing the ipsec tunnel instead of using a VPC hardware VPN. I don't see an obvious way to do this with just the capabilities built in to VPC because you won't be able to set the encryption domain for the tunnel. – Michael - sqlbot Mar 10 '15 at 04:53
  • Yeah, I think you're right about the link - if possible I want to use just Amazon's infrastructure. About the encryption domain, when setting up the Amazon VPN I can specify static IP prefixes for routing, so I was hoping I could specify an unassigned Elastic IP (e.g. 203.0.113.5/32) and then somehow change the routing table in the VPC so that 203.0.113.5 is mapped to 10.0.0.5 or whatever the private IP is. I'm new to VPN configuration and have little networking experience, so maybe that's just not how it works! – peatb Mar 10 '15 at 13:42
  • I've edited my question to include my experiment with specifying a full IP address in the Amazon VPN's "static IP prefixes" field. – peatb Mar 10 '15 at 17:10
  • The entry in the [Amazon VPC FAQs](https://aws.amazon.com/vpc/faqs/) to which peteb refers is (i think) _**Q. Can I assign one or more Elastic IP (EIP) addresses to VPC-based Amazon EC2 instances?** Yes, however, the EIP addresses will only be reachable from the Internet (not over the VPN connection)._ – Tom Anderson Aug 17 '16 at 15:30

0 Answers0