Port forwarding or port address translation (PAT) is a method of altering the destination port of traffic by using a forward proxy.
There are multiple possible reasons to use a PAT server for port forwarding. Here are just a few:
- Running multiple NAT’d servers with identical services competing for one port.
- Changing the default destination port to a more common port to bypass layer 4 firewall restrictions.
- Configuring round robin DNS where multiple port forward servers can redirect traffic to one application server.
For this tutorial we will use Redshift deployed to a private subnet in AWS as our example.
In this scenario, we are on-prem, and outbound traffic on port 5439 is blocked by the corporate firewall.
To get around this restriction, we will configure our Port Forward Server to publicly listen on port 443, and forward the incoming traffic to Redshift on port 5439. All incoming traffic will be IP whitelisted to only allowing traffic from our organizational IP addresses.
Let’s assume the following network architecture:
- A VPC configured with a 192.168.0.0/16 CIDR range.
- Two subnets configured:
- One private, with no internet access (192.168.1.0/24)
- One public, with an internet gateway configured for internet access (192.168.0.0/24)
- A Redshift cluster deployed to the private subnet which will be listening on its default port, 5439.
- A Port Forward Server appliance deployed to the public subnet will be listening on port 443. Incoming traffic will be proxied to the Redshift server in the private subnet, destined for port 5439.
- The VPC security group needs to be configured to allow:
- Inbound ports 22 and 443 from an authorized IP address
- Inbound port 5439 from the public subnet into the private subnet
- And inbound traffic from the security group itself allowing internal VPC traffic
Here is an architectural diagram of the setup we’ve just constructed:
Once the networking is configured properly, we can deploy and configure the Port Forward Server appliance.
Steps to deploy the Port Forward Server are as follows:
- Deploy the Port Forward Server appliance from the AWS marketplace into your public subnet
- SSH into the Port Forward Server
- Edit the portforward.config file with your favorite text editor
- Update the source port (SPORT), destination port (DPORT), and the destination host (DHOST)
- Save the portforward.config file
- Reboot the server
And that’s it! Your Port Forward Server should now be forwarding all incoming port 443 traffic to your Redshift cluster, deployed on your private subnet, listening on port 5439.
You can test this by connecting to your Redshift cluster by entering the public DNS of your Port Forward Server as the target host using psql:
psql -h ec2-3-89-128-232.compute-1.amazonaws.com -U testuser -d dev -p 443
As always, if you have any questions, feel free to drop us a line on our contact page.