5

I have a basic Amazon VPC set up with a public and private subnet. I have deployed a Vyatta router in the public subnet that does NAT for the private subnet. I have an elastic IP address assigned to the Vyatta instance which does a 1:1 NAT to the private IP of the Vyatta's eth0 interface.

The question: I am building a ipsec VPN from the Vyatta instance and that requires the Vyatta instance to be aware of the public IP address which it currently is not. Is there a way to assign the public elastic IP address directly to the eth0 interface?

If not, does anyone know a work around to using Vyatta in a VPC configured with an ipsec VPN?

Thanks!

EEAA
  • 108,414
  • 18
  • 172
  • 242

2 Answers2

5

Is there a way to assign the public elastic IP address directly to the eth0 interface?

No, there is not. Internet traffic to/from EC2 instances always traverse the Elastic IP 1:1 NAT infrastructure.

If not, does anyone know a work around to using Vyatta in a VPC configured with an ipsec VPN?

I have all manner of IPsec operating in VPC (including IPSec tunnels that cross NAT boundaries) without issue. Why do you think you need to have the public address directly assigned to the host? That is not a requirement from IPsec's perspective.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • There are mechanisms to put IPsec through NAT, but don't they all involve additional encapsulation and overhead? – Phil Frost Mar 09 '18 at 13:48
3

As EEAA mentioned, you can't actually assign the elastic IP to an interface on your instance. That's not how EC2 publicly-routed IPs work.

I'm not sure how much it will help you, but if you do want to know the IP programatically, you can query it from the metadata "API":

curl -s http://169.254.169.254/latest/meta-data/public-ipv4

If an elastic IP is assigned to the instance, that will print it to standard out.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92