Configure a VPC with Public & Private Subnets and Secure your Network using NAT Gateway

NAT Gateway
Figure 7 : NAT Gateway

What is NAT Gateway ?

  • Consider a scenario where you want an EC2 instances that are in private subnets of a virtual private cloud (VPC) to communicate securely to the internet . The connection may be required to do security updates or package download.
  • Here NAT Gateway comes into picture. A NAT Gateway is a Network Address Translation (NAT) service that allows an EC2 instances of private subnets connect to the internet , but prevents the internet from initiating a connection with those instances.
  • The configuration of NAT Gateway requires –
    1. A VPC having atleast two subnets.
    2. An instances in each subnet – atleast one public instance in any one subnet and a private instances in
    another subnet .
    3. A NAT Gateway with an Elastic IP address associated with it inside a subnet having public instance .
    4. A custom Route table with a subnet association of a subnet having private instances.
    5. A route to an internet that will go through the NAT Gateway inside a custom Route table.

Now let us see a detailed steps on how to configure a NAT Gateway .

Configure NAT Gateway –

  1. From the VPC option in your AWS account , create one VPC with 192.168.10.0/24 CIDR network. ( Refer Create custom VPC in AWS for steps in detail )
    Figure 1 : VPC with 192.168.10.0/24 network

    Figure 1 : VPC with 192.168.10.0/24 network

  2. Create 2 subnets – Subnet 1 and Subnet 2 inside the custom VPC created i.e. My-VPC . ( Refer How to launch EC2 Instances inside Custom VPC and SSH into Public and Private Instances for steps in detail )
    Subnets

    Figure 2 : Two Subnets inside custom VPC

     

    Once subnets are created, create an Internet Gateway and attach it to the custom VPC . Also add the route of Internet (0.0.0.0/0) inside the Route Table that was created for our custom VPC i.e. My-VPC .

  3. Create one public instance named Webserver inside Subnet 1 and one private instance named DB_Server inside Subnet 2.
    Public Instance created within Subnet 1

    Figure 3 : Public Instance created within Subnet 1

     

    DBServer

    Figure 4 : Private Instance created within Subnet 2

  4. Now, we have to create an Elastic Public IP Address. Go to the Elastic IPs option and click on Allocate Elastic IP address.
    ElasticIPsteps

    Figure 5 : Elastic IPs option in AWS

     

    Click on Allocate , an Elastic IP address will be allocated .

    Allocate Elastic IP address

    Figure 6 : Allocate Elastic IP address

  5. Go to the NAT Gateways and click on Create NAT Gateway button to create a NAT Gateway. 
    Select the Subnet name from above two inside which a public instance is created which is Subnet 1 here and assign an Elastic IP address we already created.
    NATGateway

    Figure 7 : NAT Gateway

  6. Create a custom Route Table names Custom RT and associate a subnet having private instance i.e. DB_Server . So now , Webserver is associated with the main route table and DB_Server with Custom RT.
    Custom Route Table with private subnet association

    Figure 8 : Custom Route Table with private subnet association



    SubnetAssociation

    Figure 9 : Edit Subnet Association

     

     
  7. Add an internet route through NAT Gateway inside custom Route Table.
    RoutethroughNAT

    Figure 10 : Internet route through NAT Gateway

The NAT Gateway setup is completed , now let us first connect to the instances and then test the internet connectivity.

  • Connect to the public instance Webserver using SSH –
    connectToWebserver

    Figure 11 : Connect to Webserver

  • Now, to connect to the private instance which is in another subnet , first we have to copy the key associated with it inside the Subnet 1 –
    copyKey

    Figure 12 : copy key inside public EC2 Instance

  • Access DB_server using private IP of instance and the key pair –

    Connect to DB_Server

    Figure 13 : Connect to DB_Server

  • At last , we have to test the internet connectivity on DB_Server.  We can do this by running the ping command for a website that has ICMP enabled.
    For eg – ping ietf.org

    connectedToInternet

    Figure 14 : Internet Connectivity at private instance

    In this way we can access the internet on private subnets as well with a network security using NAT Gateway.

    Hope you like the article . If this is worth reading atleast once , please do like and share…!!!

You may also like...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: