Configure a VPC with Public & Private Subnets and Secure your Network using NAT Gateway
What is NAT Gateway ?
- Consider a scenario where you want an EC2 instances that are in private subnets of a virtual private cloud (VPC) to communicate securely to the internet . The connection may be required to do security updates or package download.
- Here NAT Gateway comes into picture. A NAT Gateway is a Network Address Translation (NAT) service that allows an EC2 instances of private subnets connect to the internet , but prevents the internet from initiating a connection with those instances.
- The configuration of NAT Gateway requires –
1. A VPC having atleast two subnets.
2. An instances in each subnet – atleast one public instance in any one subnet and a private instances in
another subnet .
3. A NAT Gateway with an Elastic IP address associated with it inside a subnet having public instance .
4. A custom Route table with a subnet association of a subnet having private instances.
5. A route to an internet that will go through the NAT Gateway inside a custom Route table.
Now let us see a detailed steps on how to configure a NAT Gateway .
Configure NAT Gateway –
- From the VPC option in your AWS account , create one VPC with 192.168.10.0/24 CIDR network. ( Refer Create custom VPC in AWS for steps in detail )
- Create 2 subnets – Subnet 1 and Subnet 2 inside the custom VPC created i.e. My-VPC . ( Refer How to launch EC2 Instances inside Custom VPC and SSH into Public and Private Instances for steps in detail )
Once subnets are created, create an Internet Gateway and attach it to the custom VPC . Also add the route of Internet (0.0.0.0/0) inside the Route Table that was created for our custom VPC i.e. My-VPC .
- Create one public instance named Webserver inside Subnet 1 and one private instance named DB_Server inside Subnet 2.
- Now, we have to create an Elastic Public IP Address. Go to the Elastic IPs option and click on Allocate Elastic IP address.
Click on Allocate , an Elastic IP address will be allocated .
- Go to the NAT Gateways and click on Create NAT Gateway button to create a NAT Gateway.
Select the Subnet name from above two inside which a public instance is created which is Subnet 1 here and assign an Elastic IP address we already created.
- Create a custom Route Table names Custom RT and associate a subnet having private instance i.e. DB_Server . So now , Webserver is associated with the main route table and DB_Server with Custom RT.
- Add an internet route through NAT Gateway inside custom Route Table.
The NAT Gateway setup is completed , now let us first connect to the instances and then test the internet connectivity.
- Connect to the public instance Webserver using SSH –
- Now, to connect to the private instance which is in another subnet , first we have to copy the key associated with it inside the Subnet 1 –
- Access DB_server using private IP of instance and the key pair –
- At last , we have to test the internet connectivity on DB_Server. We can do this by running the
pingcommand for a website that has ICMP enabled.
For eg – ping ietf.org
In this way we can access the internet on private subnets as well with a network security using NAT Gateway.
Hope you like the article . If this is worth reading atleast once , please do like and share…!!!