LAN gossip via NAT (EC2)

I’m running a Consul cluster in EC2 with agents also in EC2 - all works great. This is federated with a few “regions” via WAN gossip over VPC Peering and that also works great.

I have some physical servers in each “region” that I’d like to run consul agents on - effectively as LAN members of the local region. I’m able to open up the AWS security group for this but since EC2 instances are NAT’d I’m not sure how to make this work.

┌────────┐             ┌─┐                           ┌────────┐
│        │             │ │                           │        |
│    EC2 o eth0        │ │ Public IP            eth0 o    Phys│
│     VM │   │ │ 52.a.b.c        203.a.b.c │        │
└────────┘             └─┘                           └────────┘

I need a consul agent running on Phys to be able to LAN peer with a Consul server running on the EC2 instance.

It’s working today via a VPN so that all the hosts have IPs that are directly reachable but that’s messy and I’d much rather do it direct. Is it possible?

Bump :crossed_fingers:

Hi @ccakes,

Consul’s Gossip protocol does not support NAT traversal. Nodes need to be directly reachable from other nodes so that servers can initiate connections to clients & vice versa.

Using a VPN as you have done is the correct approach to enable communication to hosts behind NAT.