Achieving the Fixed IP Firewall Requirement with Private NAT Gateway for AWS Private Subnet

Zhimin Wen
10 min readFeb 20, 2024
Image by Luisella Planeta LOVE PEACE 💛💙 from Pixabay

I have an OpenShift application running on AWS pure private network. It is connecting back to the on-premise data center through the Transit Gateway. To integrate with the on-premise applications, one of the firewall requirement is asking for a fixed source IP.

As we know the private IP address for EC2 will be changing, the same goes for the ROSA OpenShift. This paper explore a possible way to achieve the fixed source IP requirement in a pure private network environment.

Fixed Source IP to connect to On-premise Data Center

We will introduce a private NAT gateway, all the traffic of the subnet goes through the NAT gateway and we can assign a static IP to the NAT gateway. We associate a route table to the private subnet, where all the outgoing traffic will be route to the NAT gateway.

Next we need connect it to the Transit Gateway. There is no routing table can be associated to the NAT gateway. For transit gateway there is also no attachment specific to a gateway, what we have is only a VPC attachment or a VPN attachment.

What we can do is to introduce another private subnet to host the NAT Gateway. This subnet will be using the default VPC routing table…

--

--