really great presentation but I have a question. at about 59:30, you say the return traffic from Internet and the IGW does not go thru the NAT GTWY. how is that possible since the DST IP of the return pkt is the NAT IP, not the original instance IP???
You are right about it. You don't need to specify the return routes at the IGW route table since it communicates with the NATGW and not directly with the spoke instances (As you mentioned, NATGW IP is "hiding" resources IPs behind it). Plus, it's not even possible to add routes with destinations outside the VPC in the IGW route table. I tried many times to do it and kept getting errors: "Route table contains unsupported route destination. The unsupported route destination is less specific than or non-overlapping with VPC local CIDR". Thanks to your question, I realised that, indeed, I don't need to specify return routes in the IGW route table because it communicates directly with the NATGW. I'd however need return routes to my spokes (VPC-A in the diagram) on the NATGW route table (or to be more precise: the route table of the subnet in which the NATGW is deployed) and ... voila. This worked for me and I think that's what he meant to say. I know I am a year late but hopefully this answers your question. I'm open to further discussion. Cheers
![AWS re:Invent 2019: [REPEAT] Baking the best security layer cake (ARC337-R)](http://i.ytimg.com/vi/CM3_2HeMcKA/mqdefault.jpg)
![AWS re:Invent 2019: [REPEAT] Baking the best security layer cake (ARC337-R)](/img/tr.png)
Thanks, a good overview of VPC state of the art and well presented
Have to watch Jan 27 2020?? Must watch
really great presentation but I have a question. at about 59:30, you say the return traffic from Internet and the IGW does not go thru the NAT GTWY. how is that possible since the DST IP of the return pkt is the NAT IP, not the original instance IP???
You are right about it. You don't need to specify the return routes at the IGW route table since it communicates with the NATGW and not directly with the spoke instances (As you mentioned, NATGW IP is "hiding" resources IPs behind it).
Plus, it's not even possible to add routes with destinations outside the VPC in the IGW route table. I tried many times to do it and kept getting errors: "Route table contains unsupported route destination. The unsupported route destination is less specific than or non-overlapping with VPC local CIDR".
Thanks to your question, I realised that, indeed, I don't need to specify return routes in the IGW route table because it communicates directly with the NATGW. I'd however need return routes to my spokes (VPC-A in the diagram) on the NATGW route table (or to be more precise: the route table of the subnet in which the NATGW is deployed) and ... voila. This worked for me and I think that's what he meant to say.
I know I am a year late but hopefully this answers your question. I'm open to further discussion.
Cheers