When you launch any instance into a private subnet in the Amazon Virtual Private Cloud (VPC), it will not be able to communicate, by default, with the internet through an Internet Gateway (IGW). This becomes an issue especially if the instances in the private subnets require direct access to the internet from the Amazon VPC to update application software, download patches, or apply security updates.
AWS provides two options: NAT instances and NAT Gateways to solve this problem as they allow instances to gain Internet access when deployed in private subnets.
A NAT Instance is an Amazon Linux Amazon Machine Image (AMI) that is designed specifically to accept instances in a private subnet, translate source IP address to public IP address of the NAT instance, and then forward the traffic to the Internet Gateway.
Here’s what you must do to allow instances internet access through the IGW via NAT Instances.
Lab Infra Introduction
In my lab I created 2 subnets under Test VPC (IPV4 CIDR – 10.0.0.0/16). One is a public subnet which is directly connected to the internet via the Internet Gateway, and the other is private subnet which doesn’t have access to the internet.
Public Subnet: 10.0.1.0/24
Route Table (Connected to Internet Gateway)
Private Subnet: 10.0.2.0/24
I deployed two Amazon Linux Instances here. One is on the public subnet and the other is on the private subnet.
Instance properties deployed on the public subnet
Then I connected to this instance after which I am able to update all installed packages by using yum (which connects to the public repository via the internet).
Instance created in Private subnet properties
When I tried to update the package using yum, the below error occurred because it was unable to connect to the public repository.
Deploying NAT instance:
Navigate to EC2->instances->Launch instance->Community AMI’s and select first NATed instance
Select and choose the remaining options as per your requirements. Make sure that you are selecting the public subnet under your VPC.
Also, make sure that the required ports will open in security group where you are going to deploy the NAT Instance. In this example, I allowed HTTPS/HTTP to pull the patches from the repository.
Once the NAT instance is deployed successfully, go to the route table where your private subnet is associated. Here, the private subnet is associated under the below route table.
I created the route under that route table by selecting the NATed instance. It passed the call from private subnet to the outside via the NAT instance.
Before checking the connectivity from the private subnet, we must disable the source/destination because each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not the instance itself. Therefore, you must disable source/destination checks on the NAT instance.
How to disable Source/Destination Checks?
E2Select the NATed instance and then navigate to ActionsNetworkingChange source/destination check. Click on Yes to disable the button.
Now if I try to install or update the package using yum, the process is successful.
A Nat Gateway is designed to operate just like a NAT instance. However, it is simpler than the NAT Instance due its ease of management and high availability within an Availability Zone. Here’s how to deploy a NAT Gateway.
Deploying NAT Gateway:
Navigate to VPCNAT GatewaysCreate NAT Gateway
Click on Create a NAT Gateway and then you will get the below widget. Now select the public subnet.
Click on create “New EIP” which will provide an automatic IP.
Make sure that the Gateway is active before you modify the routing.
It takes approximately 2-3 minutes.
Now go to the route table (where your private subnet is associated). Following that, edit and create a new route with NAT Gateway after which you will be able connect to the external environment.
To know the differences between NAT Gateways and NAT Instances refer to the link below: