How to map RFC 1918 IP addresses to public IP spaces using Aviatrix?
Some enterprises have built their datacenter environments on Public IPs that they own. But, when they started adopting public clouds like AWS, their cloud VPCs were built on RFC 1918 spaces. When these VPCs need to connect to the organization’s on premise datacenters, those internal networks need to start supporting RFC 1918 IPs. This change is not always possible due to security concerns or due to long-running process inertia.
Aviatrix Systems has helped customers address this problem in multiple environments. Aviatrix gateways have the ability to translate RFC 1918 IPs to Public IP spaces through a 2-way NAT-ing feature.
Let’s use this example: Company XYZ owns this public IP range: 184.108.40.206/8. All their datacenter networks route only this IP space. Let’s say, one of the company’s applications deployed in AWS needs to connect to the on prem datacenter for database access. But, this application’s VPC has a CIDR of 172.16.0.0/16 (RFC-1918). XYZ Company’s datacenter network (or WAN) cannot route this traffic.
To solve this issue, let’s use an Aviatrix Gateway to connect this VPC to an on-premise IPsec device. Here are the steps:
- Install the Aviatrix controller from the AWS marketplace and provide the controller credentials for this AWS account. (http://docs.aviatrix.com/StartUpGuides/aviatrix-cloud-controller-startup-guide.html)
- Log into the controller and navigate to the Gateways tab.
- Create a gateway in the VPC that needs to be connected. In this example, the VPC is called AppVPC.
- Once the Gateway is created, you should see it listed in the Gateways list.
- Now let’s start setting up an IPsec tunnel that will connect to the datacenter. Navigate to the Site2Cloud page.
- Click on “+ Add new”
- Fill out the form that gets presented:
- VPC ID: Pick the VPC you want to connect (AppVPC)
- Connection Type: Mapped (this lets the gateway know to perform 2-way NATing)
- Connection Name: Any name to represent the IPSec Connection (App-DC-Pub)
- Remote Gateway Type: Select Generic since we want to connect to a Generic IPSec device on-premise.
- Primary Cloud Gateway: Make sure the gateway you created above is selected (OR-IPSEC)
- Remote Gateway IP Address: Enter the IP address (as seen from the internet) of the IPsec device you want to connect to on-premise.
- Remote Subnet: Enter the Datacenter’s IP Address (220.127.116.11/24)
- Remote Subnet (Virtual): Enter the IP space that the Datacenter’s IPs needs to map to. (in this case it is the same IP space)
- Local Subnet: Enter the VPC’s IP Range (18.104.22.168/16)
- Local Subnet (Virtual): Enter the IP space that the VPC IPs need to map to. (let’s map the VPC IPs to the Company’s IP space: 22.214.171.124/16)
- Leave all other options to their default values.
- Click OK.
- You will see the Connection listed. The status will say “Down” because the IPSec device has not been configured yet.
- Select the connection row -> select “Generic” on the Vendor option -> Click on Download Configuration.
- Use this configuration file to set up the IPsec connection in the device on-premise.
- Soon, when you refresh the status the Aviatrix controller page, you should see the connection status change to “up”.
- Now you will be able to access instances in the VPC using corresponding public IP addresses. For example, if the VPC instance’s private IP address is 172.16.1.106, you will able to address the instance as 126.96.36.199 from the datacenter.
For more information on Aviatrix capabilities, please go to: http://docs.aviatrix.com/StartUpGuides/aviatrix_overview.html