Sending traffic from pfSense to a Site-to-Site VPN to a VGW to a NAT in AWS | by Teri Radichel | Cloud Security | March 2024


ACM.470 Another thing Q told me I could do but wasn’t allowed

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ ~~~~~~

⚙️ Discover my series on Automation of cybersecurity measures. THE Coded.

🔒 Related Stories I AM | AWS Security | pfSense | Internet Security

💻 Free content on Cybersecurity Jobs | ✉️ Register for Broadcast list

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ ~~~~~~

In the last post, with Q’s blessing, I attempted to send traffic from a Load Balancer to a NAT. It did not work.

In this article, I consulted Q again regarding something I wanted to try: sending data from a site-to-site VPN with a virtual private gateway directly to a NAT.

While I was having difficulty with the Network Load Balancer in the last post, I started to wonder what would happen if I simply sent my traffic through the VPN to an Internet location. Would it just go through the VPN to the Internet via NAT? Or do I still need something in the VPC to forward traffic?

I should have known this after having transitive routing in my brain when I previously worked on proxies and NAT at Capital One – but that was before AWS NAT Gateway. Maybe something has changed.

After a few tries, I understood the question well (or so I thought) and got an answer that seemed reasonable. According to QI this can be done.

First, I checked if my AWS VPC flow logs that I configured in a previous article are working so I can monitor traffic and they are. And there’s certainly a lot of noise coming from the Internet.

What I really wish is that AWS would let you create a rule to block traffic to two high ports, because one rule could eliminate pretty much all of that, but it’s a tangential thought.

Leave a comment