Showing posts from 2016

AWS One-Off Series: Enabling NAT in AWS VPN

The ask seems innocent enough: Can I tunnel publicly routable IP addresses through a VPN to my AWS environment? The answer however, isn't.

Throughout many years of configuring IPsec tunnel overlays for customers, B2B partners every now and then will sneak in the seemingly unsurpassable restriction of RFC1918 (ie. private IP subnets) space allowed through the tunnel. In the past, through the traditional network engineering technique of terminating a VPN on physically-owned router or firewall hardware, this is solved easily enough by including a simple NAT configuration and utilizing either the publicly-routable IP address of the device itself or a separate PI prefix. Problem solved.
However this little requirement presents quite a problem for AWS users, who ask: How do I connect my IPSec VPN to a partner/provider who says I cannot tunnel RFC1918/internal IP space to them? The short answer is, when using AWS VPC VPN, you can't. However, using third-party virtual router/firewall…