mario00
asked on
AWS VPN Connection
I have a customer that needs to access an internal load balancer on our AWS network. The internal load balancer is not provided a static IP address. It is given a DNS name that can be resolved to an internal IP address that is dynamically assigned from the subnet in the VPC. If the customer creates a vpn connection and provides access to the entire subnet range they would be able to access the DNS name of the internal load balancer without issue. Unfortunately they are not willing to support 256 random IP's on the vpn tunnel. Is this too much to ask the customer to provide on the vpn tunnel? Is it best practice not to create a tunnel with access to the entire subnet?
Phil Phillips
AWS recently came out with a Network Load Balancer (NLB) that supports static IPs: https://aws.amazon.com/blogs/aws/new-network-load-balancer-effortless-scaling-to-millions-of-requests-per-second/
ASKER
The static IP option is only available for internet facing lb's. The LB we need the static IP for is an internal LB.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have already pitched the ideal of creating a /28 to the customer to see if they are ok with passing 11 IP address instead. You would think that IP address does not change once assigned but it does! It has already happened to us while testing. One other note, our VPC is created in the AWS Gov cloud and all services in the commercial cloud are not available in the Gov cloud. The NLB is not yet available in the Gov cloud. And even if it were, a static IP is not an option on an internal load balancer. This customer does not even want to pass private IP addresses over the VPN stating it is industry standard to NAT private IP's to public IP's to go over the tunnel. What industry standard is this?
Ahh, non-changing of the IPs is specific to the NLB - the normal ELB/ALBs will still change. Hopefully they will have NLB in GovCloud soon!
I have not heard of that standard... in fact, I've generally leaned towards using private IPs when possible. The only times I've seen that sort of IP NATing has been to spoof IPs for internal testing or to resolve issues with subnet conflicts.
I have not heard of that standard... in fact, I've generally leaned towards using private IPs when possible. The only times I've seen that sort of IP NATing has been to spoof IPs for internal testing or to resolve issues with subnet conflicts.