...
Access to the Internet from private VPC subnets or a guest system with only private IP addresses:
Access to the Internet for private VPC subnets is possible across a gateway instance providing VPN access to the customer network and allowing Internet access via this path. Alternatively, a NAT gateway can be used. The NAT gateway can be implemented on a Charon host system or it can be provided by AWS for a charge.
...
This is not recommended as a standard solution for security reasons. Should it be required, two interfaces with public IP addresses can be assigned to the Charon host. One of these interfaces is then dedicated to to the guest system which uses the private address interface address assigned by AWS and the MAC address of the interface assigned to the Charon host (similar to point 2 in section Host to Guest Communication Considerations above).
Using a Charon host system as a Router
If a Charon host system is to be used as a router (for example as shown in Example of a More Complex Network Configuration or to provide Internet connectivity to other Charon host and guest systems, it is not sufficient to configure Linux for IP forwarding.
The following settings have to be made on the Charon host instance via the AWS management console:
For each interface, the source/destination check has to be disabled. Unless this is configured correctly, traffic from and to and AWS instance will only be allowed if either source or destination address belongs to the instance. Transit traffic destined to be forwarded by the router, would be discarded.
Guest to Guest Layer 2 Communication Considerations
...