1

I have a hardware VPN tunnel configured through Amazon Web Services (AWS), to a subnet which contains private instances behind an Elastic Load Balancer. I would like to have instances at the other end of the tunnel be able to access my private instances, through the Load Balancer, by referencing a Public IP.

This is a requirement of a big corporate network, where they refuse to map private (e.g., 10.x.x.x, 172.16.x.x) addresses into their network. I have been told that the public IP's must be "NAT'ed" to the private IP's on our end. Would this be done using an Elastic IP and AWS NAT Gateway somehow?

To give a specific example of what I am looking for, suppose at the other end of the tunnel (corporate side), a client accesses the Elastic Load Balancer instance (e.g., elb-00000000.us-east-1.elb.amazonaws.com), which maps to a public IP. I want to include/map that public IP such that it is accessed through the secure VPN tunnel.

Alternative architecture suggestions are welcome; as long as fills requirement to access a load-balanced private instance through the VPN tunnel without routing the private address space into the remote corporate network.

Lemonseed
  • 121
  • 5
  • There is more than one reason why such a setup is going to be tricky with VPC -- I've run into the big corporate network types who insist (quite ridiculously) on burning public addresses for use inside a VPC... but a question here is does your organization have a /28 or larger of non-AWS public addresses available that you could use for this purpose? (Strange question, but stick with me, and don't worry about the routing of that just yet. They could be used for other things so long as BigCorp doesn't ever need to access them in their usual place for any reason, ever.) – Michael - sqlbot Jul 06 '16 at 00:06
  • @Michael-sqlbot: No, our organization only has a handful of elastic IPs in a non-contiguous range; we have no dedicated public IPs otherwise allocated to us. – Lemonseed Jul 06 '16 at 16:05

0 Answers0