• instance launched into private subnet in VPC could communicate with Internet through the IGW, by default.
  • Instances within private subnets need direct access to Internet from VPC to
  • apply security updates
  • download patches
  •  or update application software.
  • AWS offers Network Address Translation or NAT Instances and gateways to allow instances in private subnets to access Internet.
  • Use a NAT gateway instead of a NAT instance
  • NAT Gateway provides better availability and higher bandwidth, and requires less administrative effort than instances.

Network Address Translation Instance

  • It is an Amazon Linux AMI designed to accept traffic from instances within a private subnet
  • After which, it translate the source IP address to the public IP address of NAT instance
  • And forwards traffic to IGW
  • NAT instance maintains state of the forwarded traffic to return response traffic from Internet to instance in private subnet.

Tasks to allow instances in a private subnet to access Internet resources through the IGW using NAT, are

  • Create – It required to create a security group for the NAT with outbound rules that specify the needed Internet resources by port, protocol, and IP address.
  • Launch – Next launch an Amazon Linux NAT AMI as an instance in a public subnet and associate it with the NAT security group.
  • Disable –Then disable the Source/Destination Check attribute of the NAT.
  • Configure –Then, configure route table associated with a private subnet to direct Internet-bound traffic to NAT instance.
  • Allocate – Lastly allocate an EIP and associate it with NAT Instance

Network Address Translation Gateway

  • An Amazon managed resource
  • To operate just like a NAT instance
  • but is simpler to manage and highly available within an Availability Zone
  • To allow instances within a private subnet to access Internet resources through the IGW via a NAT gateway, following must be done –
    • Configure – It is required to configure the route table associated with the private subnet to direct Internet-bound traffic to the NAT gateway Example – nat-1a2b3c4d.
    • Allocate – It is required to allocate and EIP and associate it with the NAT Gateway.
Menu