I'm trying to figure out if it's possible to use public IPs over a Site-to-Site VPN connection in AWS. The other party involved is insisting on using public IPs for traffic. I've been testing this setup with an AWS S2S VPN and an open-source VPN as the client, but I've noticed through the AWS Reachability Analyzer that the source IP is switched to a private IP when it goes through the Transit Gateway and the VPN route. Is it just not feasible in AWS, or am I missing something?
5 Answers
From what I understand, you generally won't be able to use public IPs this way. The public IP of an instance is primarily for internet traffic going out from that instance. It raises a larger question: why do they need public IPs on the VPN?
It really depends on who’s making the connection. If AWS is connecting to the third party or vice versa, I'm assuming it’d be best to look into using an isolated VPC with PrivateLink. You can't use an Elastic IP across a Site-to-Site VPN, so adding a public CIDR as a secondary CIDR to your VPC and setting up a private NAT gateway could be an option. Just make sure your route tables are set up correctly, as misconfigurations can lead to headaches!
I doubt this can be achieved as you're hoping. Have you considered using NAT as an alternative method?
I found this AWS repost that discusses the use of public IPs with VPNs, but it seems like there's no clear answer: [Use Public IP for Communication via AWS VPN Tunnel](https://repost.aws/questions/QUig7UxqcdSe2yIwrPofLl9A/use-public-ip-for-communication-via-aws-vpn-tunnel).
If you have a known public IP range from the other party, you could either create a VPC with that public CIDR and attach it to the Transit Gateway or add it as a secondary CIDR. Then, route your VPN traffic through internal NAT Gateways. Just ensure your S2S VPN supports those IP ranges, whether through static or dynamic routing.
Often, it's to avoid IP overlaps since the other side might have many networks connected to the VPN. Using public IPs can help prevent conflicts with common private ranges, like 10.0.0.0/8, especially in sectors like government.