Home / server / Questions / 963233
Accepted
MacUsers
Asked: 2019-04-16 23:09:15 +0800 CST

AWS: Outbound only connectivity from a private subnet

  • 772

I'm sure this question was asked before and there a number of documentations from AWS but it seems not working for me. But cannot find a straight answer to my question, so asking here again.

I have a bunch of EC2 instances in the private subnet, where I don't need and in-comning connectivity from internet but need outgoing for apt-get update etc. So, if I do the followings:

  1. Create a subnet and an EIP
  2. then create a NAT gateway, utilizing those two
  3. then create a route-table with:
    1. destination 0.0.0.0/0 => NAT-Gateway (target)
    2. associate the subnet (above)
  4. spin up instances in the above subnet

should give that instance the outbound only connectivity? Anything I'm missing or doing wrong here? Thanks in advance!!

-S

amazon-web-services

1 Answers

  1. Best Answer

    It's close but not quite correct :)

    To make it work you need two subnets and two route tables.

    1. Public subnet

      • has IGW - Internet Gateway and optionally NAT Gateway
      • 0.0.0.0/0 points to the IGW (not to the NAT gateway!)
      • hosts (EC2 instances, NAT Gateway) must have public IP or elastic IP attached as they go directly to the internet
      • hosts can be contacted from the internet on this public/elastic IP (if Security Group permits)

    2. Private subnet

      • has no IGW or NAT (because your NAT GW is in the public subnet!)
      • the 0.0.0.0/0 points to the NAT in the public subnet above
      • hosts only have private IP and all outbound access is "masked" to the NAT gateway IP
      • hosts can initiate connections to the internet but can't be contacted from outside as they are "hidden" behind the NAT (Network Address Translation gateway).
      • without NAT configured hosts won't have internet access

    Hope that explains it :)

    • 4