When instances are launched in private subnet cannot communicate with the internet by default. However, these instances would need internet access in order to make updates, apply security patches etc. AWS provides Network Address Translation(NAT) Instances and NAT Gateways to allows IPv4 instances deployed in private subnets to gain access to the Internet. However, if anyone initiates a network traffic from the internet it will not reach these instances in the private subnet.
Network Address Translation(NAT) Instances –
- NAT instance is an Amazon Linux AMI(Amazon Machine Image) that resides in a public subnet.
- They accept traffic from instances in private subnet, translate the source IPv4 address to the private IPv4 address of the NAT instance and forward the traffic to the IGW (Internet Gateway).
- Don’t forget to disable the Source/Destination check attribute of the NAT instance. (EC2 instances performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, in the case of a NAT instance, it must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.)
- NAT only supports the IPv4 traffic. To support IPv6 traffic AWS provides EIGWs(Egress-only Internet Gateways)
- An entry in the route table of the private subnet is required with a target as NAT instance.
- You can also allocate an Elastic IP address to the NAT instance if you did not launch it with a public IPv4 address.
- Below diagram illustrates NAT Instance –
Network Address Translation(NAT) Gateways –
- NAT Gateways is a highly available AWS managed resource similar to the functionality what NAT instance provides
- NAT Gateway needs to be created in a public subnet and an entry needs to be made in the route table of the private subnet to direct traffic to NAT Gateway.
- Nat Gateway also supports IPv4 traffic. To support IPv6 traffic use EIGW(Egress-only Internet Gateway)
- A NAT gateway cannot send traffic over VPC endpoints, VPN connections, AWS Direct Connect, or VPC peering connections. Instead, use the private subnet’s route table to directly send the traffic to these endpoints/devices.
- To create an Availability Zone(AZ) independent architecture, you can have NAT Gateway created in each Availability Zone(AZ) and have it configured in the subnet’s route table such a way that the resources use the NAT Gateway in the same AZ.
- Below diagram illustrates the NAT Gateway –