Somewhat of an AWS devops noob here, wondering if the Client VPN endpoint will fit this use case.
We have some vendors whose API is IP whitelisted. Fine for our ECS services, just give them the NAT Gateway IPs.
But devs need to access these APIs from their computer as well, so my idea was to create a Client VPN endpoint connected to the VPC. However I saw this StackOverflow article and this AWS article describing how you can’t configure NAT for VPN connections.
Is there a way to accomplish what I’m after or is the AWS VPN not ideal for this use case?
Client VPN can accomplish that. The articles you refer to mainly talk about Site-to-Site VPN ( using a VGW (Virtual Gateway and a Customer Gateway [think router on-prem])).
Client VPN docs are here:
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html and https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario.html.
You can manipulate the routing of Client VPN to achieve what you want.
And … it’ll probably work if you are using OpenVPN clients already.
“With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.”
Use OpenVPN instead. I’ve been using it since 2002, and I think since 2006 on AWS. It has worked great.
Maybe try a proxy server if it’s all HTTP/HTTPS traffic? Host a server in AWS that acts as a proxy and have the devs use that for their api calls?
Not sure if this is exactly your use case but check out https://remote.it/aws/. I was having such a hard time managing dev access to our AWS VPCs but this makes it easy + secure. Let me know what you think.
Ahhh I didn’t realize those articles were referring to Site-to-Site, good catch.
Just noticed this AWS article specifically leaves out Client VPN where it states what can’t route to a NAT.
Guess I’ll mess around with it more and see if I can make it work. Thanks!
I was going to try using the AWS VPN
Yeah I had the same thought as well and think I may try implementing this as well, that way we don’t get charged for all the rest of the traffic going through the VPN.