In Custom VPC, instances created in Private Subnet will not have internet connectivity by default. In this tutorial we will learn how to use NAT instance to enable Internet for all the instances created in Private subnet.
Read more about NAT instances on official AWS page https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
Prerequisites:
- Custom VPC with Private and Public subnet
- A NAT instance
- EC2 Instances
1. Custom VPC with Private and Public subnet
Kindly follow this tutorial to create a VPC with Private and Public subnet.
2. Create a NAT Instance
Points to remember
- NAT instance should be launched from Public Subnet
- NAT instance should have Public IP
- Add a route from Private subnet to NAT instance
Now login to EC2 console and click “Launch Instance” in EC2 Dashboard. In EC2 launch wizard, select “Community AMI’s” and search for NAT instances by entering keyword “nat” in the search box. Select the first search result and then click “Select”.
Now select “t2.micro” instance and click NEXT.
We should launch NAT instance in Public subnet to make the instances created in private subnet are internet accessible.
In Step 3, select the custom VPC that you have created and choose subnet with name “PublicNet“. Also make sure that “Auto-assign Public IP” is in “enable” state.
Click on Next, “Add storage” , leave the settings as it is and click Next again to “Add tags“.
Now click Next to Configure Security Group (SG). You could use existing SG or create a new one.
Let us create a new SG that will “Allow” all traffic from Private subnet 10.0.2.0/24. In production environment, it is recommended to allow only specific ports that are required by the application.
Now “Review” everything and Launch the instance.
3. Disable Source/Destination Check
Once the NAT instance is ready, select it and click “Networking” under “Actions” menu.
In ” Enable Source/Destination Check for the instance” pop up window, click “Yes,disable” button.
4. Create new Route table for Private subnet
In VPC console, select “Route tables” from side bar and click “Create route table“. Select your custom VPC from dropdown and tag a name. Finally, click “Yes, Create” button.
Once the route table is created, click “Edit” route table to add a route to our NAT instance
Add entries as given below and click “Save”
Destination: 0.0.0.0/0
Target: NAT instance ID
5. Associate with Subnet
In the same window, we need to associate our newly created Private route table “PrivateRT” with Private subnet “PrivateNet“.
Select “Subnet Association” tab and click “Edit”
Select “PrivateNet” Subnet and click “Save”
6. Verify
SSH into your instance in Private subnet via instance in Public subnet that has publicly accessible IP (Bastion host/ Jump host servers normally). Then try PING any external domain and see if it responds.
As you can see, It is responding to PING! You may now perform system update, install, patch etc.
Please comment if you face any difficulty in setting up NAT instance.
