I would like to use Nat Gateway (not Nat Instance on EC2!) from another VPC to route my traffic from peered VPCs to the Internet. My infrastructure looks like this:
/---------------------VPC-LIVECHAT---------------------\
| /---Subnet A---\ /---Subnet B---\ /---Subnet C---\ |
| | | | | | | |
| \-10.10.0.0/24-/ \-10.10.1.0/24-/ \-10.10.2.0/24-/ |
\------------------------------------------------------/
| |
| VPC Peering Connection |
| |
/----------------------VPC-COMMON----------------------\
| /---Subnet A---\ /---Subnet B---\ /---Subnet C---\ |
| | /--------\ | | /--------\ | | /--------\ | |
| | | NAT GW | | | | NAT GW | | | | NAT GW | | |
| | \--------/ | | \--------/ | | \--------/ | |
| \-10.10.3.0/24-/ \-10.10.4.0/24-/ \-10.10.5.0/24-/ |
\------------------------------------------------------/
| |
| VPC Peering Connection |
| |
/---------------------VPC-DATABASE---------------------\
| /---Subnet A---\ /---Subnet B---\ /---Subnet C---\ |
| | | | | | | |
| \-10.10.6.0/24-/ \-10.10.7.0/24-/ \-10.10.8.0/24-/ |
\------------------------------------------------------/
My idea:
- I will setup VPC-COMMON with subnets and Nat Gateway in each subnet (one subnet per AZ)
- I will setup VPC-LIVECHAT and VPC-DATABASE VPCs, create VPC Peering connections
- In VPC-COMMON subnets there will be route 0.0.0.0/0 -> Nat Gateway in same subnet
- In VPC-LIVECHAT and VPC-DATABASE subnets (all of them) there will be route VPC-COMMON CIDR -> VPC Peering Connection
- In each subnet of VPC-LIVECHAT and VPC-DATABASE there will be route 0.0.0.0/ -> Nat gateway in corresponding subnet of VPC-COMMON (subnets A will use NAT GW in VPC-COMMON subnet A and so on...)
I think this setup should work pretty well, it is just routed VLANs. But not in AWS. AWS don't want to allow me use Nat Gateway in different VPC in route table with error
"route table rtb-293fa54d and interface interface-c2002e9e belong to different networks"
I cannot use Private IP of Nat Gateway in AWS too, AWS doesn't suport IP addresses in route target (I would really love to know why).
I'm using CloudFormation and my route definition looks like this:
"RoutePrivate3ToNatInCommon" : {
"Type" : "AWS::EC2::Route",
"Condition" : "IsNotVpcCommon",
"Properties" : {
"DestinationCidrBlock" : "0.0.0.0/0",
"RouteTableId" : { "Ref" : "PrivateSubnet3RoutingTable" },
"NatGatewayId" : { "Fn::GetAtt" : [ "NatGatewaySettingsForNotCommon", "NatGatewayAZC" ] }
}
}
NatGatewaySettingForNotCommon is my Custom lambda-backed resource which helps me to get list of Nat Gateways per availability zone.
Is there any way how to achieve this setup? I will have about 10 VPCs per region, 3 private subnets in each of them and I really don't want to setup (and pay for) 30 Nat Gateways. This looks like regular "non-cloudy" network setup so there should be no problem to realize it in cloud. Or is it?