2

I have 2 AZs on my VPC. A public and a private subnet in each of them. Currently I have my application deployed on the private subnets and outbound traffic routed using a NAT Gateway on the public subnets of each AZ. The thing is that some vendors have to whitelist my application's IP. Currently I have 2 IPs, one for each NAT Gateway. Is there a way to use the same IP for both of them without losing AZ redundancy so vendor's only need to whitelist a single IP?

Bruno Lira
  • 177
  • 3
  • 13

2 Answers2

4

No, as each EIP can only be associated with a single network interface.

The following rules apply: An Elastic IP address can be associated with a single instance or network interface at a time.

See https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
  • Is there another way to achieve such a thing? I understood that a EIP can only be associated with one resource, but I wonder if AWS has any resource to do it, route the traffic of multiple NAT gateways to a AWS's service that puts a single IP on the outbound traffic, regardless of where it's coming from – Bruno Lira Jan 24 '21 at 14:08
  • 1
    You could use a single NAT Gateway for both AZs, which would result in traffic coming from one IP address. However, this architecture is not fault-tolerant. You could configure an automated response to failure that will launch another NAT Gateway if an AZ fails, and switch across the public IP address, but that would involve quite a bit of work and it would result in an outage period if the AZ with the NAT Gateway fails. – John Rotenstein Jan 24 '21 at 23:05
  • IMHO It's just as easy for the vendor to whitelist two ips vs one. Given the change management and admin overhead of their modification of security policies, pasting an extra IP into the firewall settings is trivial. – Rodrigo Murillo Jan 25 '21 at 01:53
1

The other thing you could do is something like this: https://aws.amazon.com/blogs/networking-and-content-delivery/creating-a-single-internet-exit-point-from-multiple-vpcs-using-aws-transit-gateway/

Some vendors only allow you to whitelist a limited number of IP's which can be really annoying to deal with.

James Candalino
  • 11
  • 1