I have configured a vpc to communicate with an on-prem private network as outlined here I am able to ping servers in my on-prem network through the virtual gateway. I have two private subnets and my route table associated with each of those subnets is configured as below:
10.255.254.0/23 local
0.0.0.0/0 vgw-xxxxxxx
My expectation is that all of my traffic, internet or otherwise is being communicated over the vgw to the cgw and then be subject to our on-premise firewall policies. In fact the article linked above specifically says that is the case:
The instances in the VPN-only subnet can't reach the Internet directly; any Internet-bound traffic must first traverse the virtual private gateway to your network, where the traffic is then subject to your firewall and corporate security policies.
When running a server on one of the private subnets the output from traceroute looks like this:
My traceroute to www.google.com looks like this:
as you can see from above traffic to www.google.com is just dying on the first hop.
I know that this can be achieved by adding a NAT to the public subnet, but I would prefer that all traffic flow through the on prem network instead.
What piece am I missing to make this work?
