We continue with the series of reviews of the different technologies of AWS and how to use them in the right way.

In the case we have a VPC with private subnets, we want the EC2 instances that are provisioned there to have access to internet to download software. However, we don’t want to make our subnets publics, we still want to have them under a private configuration. There is two ways to accomplish this and one is better than the other, but both accomplish what we are looking for.

  • NAT Instance: It is an EC2 instance that is provisioned in the public subnet and works as the way out to the internet. This approach is old and is not highly available and scalable. Imagine if you have a large number of EC2 instances trying to access the internet. It will become a serious bottleneck. However, it is important to understand the concept, in case you would like to get certified in AWS.
  • NAT Gateway: It is the best way to connect instances in a private subnet to the internet. It is highly available and can scale up to 45 Gbps according to AWS documentation. NAT Gateways can be deployed in each availability zone and they are implemented with redundancy. Moreover, the software is optimized for handling NAT traffic.

In the following example, we have created a custom VPC with two subnets, one public and another private. The public one has in its route table a connection to the Internet Gateway.

A screenshot of a cell phone

Description automatically generated
Figure 1 – shows the two subnets.
A screenshot of a social media post

Description automatically generated
Figure 2 – shows the public route table with the routing to the Internet Gateway.

In our environment we have three instances running at the moment: one web server provisioned in the public subnet, a database server provisioned in the private subnet and a bastion host to access the private instances in the private subnet, running in the public subnet. SSH forwarding I can login to the Database server, but I don’t have access to the internet.

A screenshot of a social media post

Description automatically generated
Figure 3 – shows the instances in the EC2 dashboard.
A screenshot of a cell phone

Description automatically generated
Figure 4 – shows the terminal with the connection to the Database Server without internet access.

To solve the issue, we need to provision a NAT Instance, so we need to navigate to the EC2 dashboard and launch a new instance. When selecting the AMI, we need to search for NAT and select any of the communities AMIs.

A screenshot of a social media post

Description automatically generated
Figure 5 – shows the selection of the AMI for the NAT instance.
A screenshot of a computer

Description automatically generated
Figure 6 – shows the configuration details of the NAT instance.

The NAT instance must be deployed in the public subnet of the custom VPC. Once it is provisioned and running, we need to change the routing table so that the instances in the private subnet can access internet through the NAT instance.

One fundamental step is to disable the source and destination check in the NAT instance.

A screenshot of a social media post

Description automatically generated
Figure 7 – shows the option to disable the check for source and destination in the NAT instance.
A screenshot of a social media post

Description automatically generated
Figure 8 – shows the new route to the instance.

Then, if I would like to perform the yum update, I can login to the database server through my bastion host and then execute the command.

A picture containing bird

Description automatically generated
Figure 9 – shows the successful connection to the internet to download updates.

The best way to do the same is to provision a NAT Gateway. As I mentioned before, NAT gateway is highly available and scalable solution that AWS provides to route traffic to the internet from private subnets. It is possible to do it from the VPC dashboard. Navigate to the NAT Gateway option and click “Create NAT Gateway”.

A screenshot of a cell phone

Description automatically generated
Figure 10 – shows the NAT Gateway option.

The only details you need to configure are Subnet, an Elastic IP and Tags in case you want to add a name.

A screenshot of a cell phone

Description automatically generated
Figure 11 – shows the details of the NAT Gateway.

The last step is to configure the route, we need to change the entry for the NAT instance and instead point to the NAT Gateway.

A screenshot of a social media post

Description automatically generated
Figure 12 – shows the configuration of the route to the NAT Gateway.

Once, the NAT Gateway is available, it can take few minutes to provision, we can test the connection from our Database server.

A screenshot of a social media post

Description automatically generated
Figure 13 – shows the NAT Gateway available in the Dashboard.
Figure 14 – shows the connection to the internet from the Database server.

Leave a Reply

Your email address will not be published. Required fields are marked *