We continue with the series of reviews of the different technologies of AWS and how to use them in the right way.
In the case we have a VPC with private subnets, we want the EC2 instances that are provisioned there to have access to internet to download software. However, we don’t want to make our subnets publics, we still want to have them under a private configuration. There is two ways to accomplish this and one is better than the other, but both accomplish what we are looking for.
- NAT Instance: It is an EC2 instance that is provisioned in the public subnet and works as the way out to the internet. This approach is old and is not highly available and scalable. Imagine if you have a large number of EC2 instances trying to access the internet. It will become a serious bottleneck. However, it is important to understand the concept, in case you would like to get certified in AWS.
- NAT Gateway: It is the best way to connect instances in a private subnet to the internet. It is highly available and can scale up to 45 Gbps according to AWS documentation. NAT Gateways can be deployed in each availability zone and they are implemented with redundancy. Moreover, the software is optimized for handling NAT traffic.
In the following example, we have created a custom VPC with two subnets, one public and another private. The public one has in its route table a connection to the Internet Gateway.


In our environment we have three instances running at the moment: one web server provisioned in the public subnet, a database server provisioned in the private subnet and a bastion host to access the private instances in the private subnet, running in the public subnet. SSH forwarding I can login to the Database server, but I don’t have access to the internet.


To solve the issue, we need to provision a NAT Instance, so we need to navigate to the EC2 dashboard and launch a new instance. When selecting the AMI, we need to search for NAT and select any of the communities AMIs.


The NAT instance must be deployed in the public subnet of the custom VPC. Once it is provisioned and running, we need to change the routing table so that the instances in the private subnet can access internet through the NAT instance.
One fundamental step is to disable the source and destination check in the NAT instance.


Then, if I would like to perform the yum update, I can login to the database server through my bastion host and then execute the command.

The best way to do the same is to provision a NAT Gateway. As I mentioned before, NAT gateway is highly available and scalable solution that AWS provides to route traffic to the internet from private subnets. It is possible to do it from the VPC dashboard. Navigate to the NAT Gateway option and click “Create NAT Gateway”.

The only details you need to configure are Subnet, an Elastic IP and Tags in case you want to add a name.

The last step is to configure the route, we need to change the entry for the NAT instance and instead point to the NAT Gateway.

Once, the NAT Gateway is available, it can take few minutes to provision, we can test the connection from our Database server.

