{"id":4390,"date":"2022-04-29T13:58:00","date_gmt":"2022-04-29T11:58:00","guid":{"rendered":"https:\/\/blog.besharp.it\/?p=4390"},"modified":"2022-04-29T16:32:02","modified_gmt":"2022-04-29T14:32:02","slug":"advanced-networking-how-to-nat-aws-traffic-with-any-private-ip","status":"publish","type":"post","link":"https:\/\/blog.besharp.it\/advanced-networking-how-to-nat-aws-traffic-with-any-private-ip\/","title":{"rendered":"Advanced Networking: privately NATting a whole VPC to and from the on-prem"},"content":{"rendered":"\n
In the Hybrid Cloud model, there is a lot of complexity related to the network when we want to create a perfect ecosystem between the Cloud and the on-premises environment. <\/p>\n\n\n\n
In particular, the network connection through a VPN site-to-site is very delicate since we can have different complications, for example, the overlap between the CIDRs of the environments. <\/p>\n\n\n\n
Another problem could be that you need to establish a VPN connection and on the other side there are constraints about the VPC CIDR dimension, for example, they cannot reserve a \/16 for a single connection but a smaller network like a \/27. Or again, in a worst-case scenario, we can establish a connection with a \/27 that doesn\u2019t belong to the same CIDR class of the VPC.<\/p>\n\n\n\n
This last case is a real situation we had to handle during a VPN configuration between our AWS architecture and an on-premises environment.<\/p>\n\n\n\n
The third part could not establish a connection with the address space of our VPC since it is too large (\/16) and overlaps with another environment.<\/p>\n\n\n\n
If we were in an on-premises environment, there would be no problems since it is possible to create a virtual network to NAT the traffic directed to another environment behind another address space. But in the cloud, this is not possible by design.<\/p>\n\n\n\n
So we had to choose a smaller network space that was suitable for both of us to use to NAT our traffic to them and, at the same time, allow them to reach our applications located in different network spaces.<\/p>\n\n\n\n
We don\u2019t spend too much time explaining the characteristics of the networking components. Here<\/a> you can find how to configure your accounts with a transit gateway and the NAT gateway centralized with some theoretical concepts. We consider this article as an extension of the above-mentioned blog post, so we recommend giving it a look for a deeper understanding of it.<\/p>\n\n\n\nArchitecture Design<\/h2>\n\n\n\n