I have a VyOS EC2 instance in AWS with a public IP via an IGW. What I want to do is take incoming requests for a set of ports, then use destination NAT to “forward” the traffic to a group of servers with public IPs. The idea is to be able to perform failover from the main server to the backup without changing DNS.
client -> VyOS public IP -> Server Public IP
The server and backup are located in two datacenters because it was cheaper than putting them on AWS.
The current setup I use is using Destination NAT from the VyOS public IP through a VPN tunnel to the internal IP of the server. I would like to accomplish this without the tunnel as the service provides it’s own encryption.
Configuration that works using two interfaces, and a route to the server’s internal IP through an AWS VPG
vyos@VyOS-AMI# show nat
destination {
rule 200 {
description “Horizon Test”
destination {
port 80,443,4172,8443
}
inbound-interface eth0
protocol tcp_udp
translation {
address
}
}
}
source {
rule 100 {
outbound-interface eth1
protocol all
translation {
address masquerade
}
}
}
[edit]
Config using the public IP that does not work.
vyos@VyOS-AMI# show nat
destination {
rule 200 {
description “Horizon Test”
destination {
port 80,443,4172,8443
}
inbound-interface eth0
protocol tcp_udp
source {
address !
}
translation {
address
}
}
}