0

Is it possible to modify this solution so a spoke VPC connects to the TGW hub over VPN, and that spoke VPC's internet access is centralized full tunnel?

enter image description here

https://aws.amazon.com/blogs/networking-and-content-delivery/creating-a-single-internet-exit-point-from-multiple-vpcs-using-aws-transit-gateway/

Perhaps route 0/0 on the spoke to strongswan. Then have an edge association on the hub's igw to route 0/0 to the tgw?

https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/

If not, can I build a solution using my own NAT instance, or web proxies? I need internet at the VPC level please due to a VM provisioning service outside of my control.

Improve this question
5
  • Why do you need a VPC to connect with VPN rather than with a TGW attachment? That would probably be simplest. In general though, yes, you can connect a VPN to TGW and terminate it wherever you like.
    – Tim
    Commented Jan 2 at 5:35
  • The VPC simulates an on-prem network and I can't attach.
    – aaaaaaaaaaa
    Commented Jan 2 at 13:44
  • 1
    You would probably get more useful help if you gave a better, fuller, more accurate description of your scenario. For example, why can't you attach the other VPC? Is it because it must be as similar to an on-prem network as possible, or some other reason? If so you need to specify other restrictions. For example, does it need a particular appliance terminating a VPN?
    – Tim
    Commented Jan 2 at 18:25
  • Yes please, as similar to an on-prem network as possible. No 0/0 security group rules are allowed there, but internet access is required. So, /32 VPN tunnels take the place of the 0/0 on the SG.
    – aaaaaaaaaaa
    Commented Jan 3 at 0:40
  • 1
    If you want your isolated VPC to have internet access you will have to route 0.0.0.0/0 through the VPN.
    – Tim
    Commented Jan 3 at 2:56

1 Answer 1

Reset to default
2

I would use a VPN attached to the transit gateway, terminated on a VGW or virtual appliance in the spoke VPC. In the spoke VPC route 0.0.0.0/0 over the VPN to achieve your centralized internet access.

Improve this answer
5
  • I have strongswan on my spoke and tunnels up through the TGW. I can ping across the vpn to different instances on my hub, but on the spoke I can't ping out to the internet. I read that IGW's do that, they're just for the internal VPC and can't be shared over a VPN. I tried configuring VPC Ingress Routing to send to a Ubuntu instance with IP traffic forwarding with no luck. Do you think I will have success nat'ing with iptables, or running a web proxy?
    – aaaaaaaaaaa
    Commented Jan 3 at 0:47
  • 1
    AWS networking is not transitive, but TGW makes things simpler. Once your VPN is connected to your TGW you should be able to route to a shared internet egress but you may need something like the link to the shared egress you have above.
    – Tim
    Commented Jan 3 at 2:55
  • I have all SGs open, and routes on all my route tables pointing 8.8.8.8/32 to an instance. I get nothing from tcpdump on that instance when running ping from a VPN attached to the TGW with tunnels up. Flow logs show typical VPN tunnel traffic on the attachment eni, which is in a private subnet on the same VPC of the instance running tcpdump.
    – aaaaaaaaaaa
    Commented Jan 3 at 17:37
  • ok I have ping from behind my vpn. I had to manually add a route on my strongswan router, right in the linux shell: "ip route add 8.8.8.8/32 via xxx.xxx dev vti2 proto zebra metric 100" I found out by comparing two tcpdumps on strongswan instance, one for all icmp, the other for tunnel traffic on udp 500 and 4500. Do you have any suggestions for the default route, so all internet goes through the tunnel, but I can still connect via ssh or aws system manager?
    – aaaaaaaaaaa
    Commented Jan 3 at 21:10
  • I don't know anything about StrongSwan, I use AWS services / features. If you want your VPC to have internet access you must route 0.0.0.0/0 up the VPN. I probably can't help further with this, if you want more help you'll need to do it a more standard way, using AWS VPN features.
    – Tim
    Commented Jan 3 at 21:19

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .