Creating VPC with a NAT Instance

In Custom VPC, instances created in Private Subnet will not have internet connectivity by default. In this tutorial we will learn how to use NAT instance to enable Internet for all the instances created in Private subnet.

Read more about NAT instances on official AWS page  https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

Prerequisites:

  1. Custom VPC with Private and Public subnet
  2. A NAT instance
  3. EC2 Instances

1. Custom VPC with Private and Public subnet

Kindly follow this tutorial to create a VPC with Private and Public subnet.

2. Create a NAT Instance

Points to remember
  1. NAT instance should be launched from Public Subnet
  2. NAT instance should have Public IP
  3. Add a route from Private subnet to NAT instance

Now login to EC2 console and click “Launch Instance”  in EC2 Dashboard.  In EC2 launch wizard, select “Community AMI’s” and search for NAT instances by entering keyword “nat” in the search box. Select the first search result and then click “Select”.

Now select “t2.micro” instance and click NEXT.

We should launch NAT instance in Public subnet to make the instances created in private subnet are internet accessible.

In Step 3, select the custom VPC that you have created and choose  subnet with name “PublicNet“. Also make sure that “Auto-assign Public IP” is in “enable” state.

Click on Next, “Add storage” , leave the settings as it is and click Next again to “Add tags“.

Now click Next to Configure Security Group (SG).  You could use existing SG or create a new one.

Let us create a new SG that will “Allow” all traffic from Private subnet 10.0.2.0/24.  In production environment, it is recommended to allow only specific ports that are required by the application.

Now “Review” everything and Launch the instance.

3. Disable Source/Destination Check

Once the NAT instance is ready, select it and click  “Networking” under “Actions” menu.

In ” Enable Source/Destination Check for the instance” pop up window, click “Yes,disable” button.

4. Create new Route table for Private subnet

In VPC console, select “Route tables” from side bar and click “Create route table“.  Select your custom VPC from dropdown  and tag a name. Finally, click “Yes, Create” button.

Once the route table is created,  click  “Edit” route table to add a route to our NAT instance

Add entries as given below and click “Save

Destination: 0.0.0.0/0

Target: NAT instance ID

5. Associate with Subnet

In the same window, we need to associate our newly created Private route table “PrivateRT” with Private subnet “PrivateNet“.

Select “Subnet Association” tab and click “Edit

Select “PrivateNet” Subnet and click “Save

6. Verify

SSH into your instance in Private subnet via  instance in Public subnet that has publicly accessible IP (Bastion host/ Jump host servers normally).  Then try PING any external domain and see if it responds.

As you can see, It is responding to PING! You may now perform system update, install, patch etc.

Please comment if you face any difficulty  in setting up NAT instance.



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.