My brain is a little bit fried trying to figure this out but I can't seem to get private subnets to connect to the internet to grab updates for example. Basically all I want is web access for these servers. I have tried solutions found in other posts but could easily be missing something since I have been looking at this for quite awhile.
So far I have done the following set up:
- Disable source/destination checking on my NAT instance
- Create a route table for public subnet and set its source to IGW (verified this works)
- Create a route table for private subnet and set its source to the NAT instance
- Create security group for NAT instance with inbound and outbound rules for 80/443 and ssh
- Create security group for private instance with inbound and outbound 80/443 and ssh
I am able to jump on the NAT instance via SSH and then pivot onto the private server, so I know that much is working. I have verified my rules by pinging internal addresses but when I leave the local network that is when I start having problems.
Where do I need to look or what do I need to troubleshoot to help get this narrowed down? Is there some configuration that needs to be done on the NAT instance that I have overlooked?
EDIT: Configuration update
- VPC: 172.16.0.0./16
- Private subnet: 172.16.1.0/24
- Public subnet: 172.16.0.0/24
Private subnet routing table:
Points to NAT instance in public subnet. Unable to access internet, attached EIP to public internet facing interface.
Public subnet routing table:
Points the public subnet at the IGW, I have verified internet access.
Thoughts:
I'm starting to think there is something that needs to be set up or created on the NAT instance that lives in the public subnet to forward traffic from private instances, but I'm not exactly sure what needs to added. I found this post that explains adding a masquerade rule in iptables, is that something that apply to my situation?
yes, you must have iptables masquerading set up on the nat host.
iptables -A POSTROUTING -t nat -s (private-subnet/cidr) -j MASQUERADEwe have the same set up, you've done everything else correctly (disable source check, point private subnet to the interface of the nat instance, point public subnet to the igw).
Just stumbled across this having a similar problem. Assuming you used the wizard to create the NAT instance, the masquerade rule mentioned above would already be there - this is only something you need to add if you're going to "roll your own" NAT instance. (I usually do that so I can double-up on this and also make it an OpenSWAN L2TP/IPSec remote user VPN server).
What I had forgotten to add since the last time I created one of these, were rules which allow all traffic (or at least what you want to allow) from all private security groups or subnets which will route traffic via the NAT instance. The NAT instance will not accept such outbound traffic without rules to allow it - don't just think about what's coming in from the Internet to get to it. Not sure if that's your issue, as you did mention adding 22/80/443 to your NAT security group, but thought I'd suggest this for others who might have a similar problem.
I battled with this for a while, until I found this:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#NATInstance
I had set up the NAT server as my own standard (Ubuntu) instance, once I used the Amazon Linux AMI and updated my routing tables it started working.