A private server wants to reach url https //www.amazon.com through a nat device

Vinay Thandra

Vinay Thandra

Director Technology at QISON Software Pvt Ltd

Published Apr 15, 2021

Who can benefit from this article

• If you are part of software development / devops team and utilize AWS (Amazon Web Services) environment for deploying your applications in a VPC with public and private subnets. And you want to understand on how the ec2 instances in private subnet can connect to internet
• You are an enthusiast of application deployments on cloud and understand the basics of AWS environment for deploying your application in a VPC. 

Introduction

• An application is deployed in an AWS VPC with public and private subnets. Public subnet has an application load balancer routing the traffic to ec2 instances in private subnet.
• The purpose of this article is detail down the steps involved in enabling internet in ec2 instance in private subnet. Hoping that this could be of help to someone.

Why internet on ec2 instance

• The main purpose of ec2 instances launching in a private subnet is to have only private Ip address (No public IP). So that the instances can never be reached from internet, so it prevents direct attacks on the system and applications in the system.
• Then why do we require internet on these instances? There could be many purposes why internet is required on these instances. For eg.,
• You would want to download software or latest patches of software on these instances.
• You have to send emails / sms to your users from the applications running on this instance.

Utilizing NAT Gateway

• You should use NAT gateway for connecting to internet from ec2-instances. NAT gateway is an AWS service, so it scales and reliable.
• Go to the VPC dashboard
• Create a NAT Gateway in the public subnet*. Ensure you are creating the NAT Gateway in public subnet only.
• Attach an Elastic IP Address* to the NAT Gateway. Now a routing should be added to your private subnet
• Go to private subnet’s routing table.  Add a route to internet through NAT
• Destination as 0.0.0.0/0 and Target as NAT gateway
• And attach an internet gateway to the public subnet. And a routing 0.0.0.0/0 with target as internet gateway

Allow Traffic

• You have enabled routing at subnet level. But now you should allow port 80 and 443 traffic through the instance, private subnet and public subnet.
• For NAT to be able to route correctly, port 80 and port 443 should be allowed to internet from the ec2 instance. This actually means, you need to add inbound / outbound rules at ec2 Instance level, private subnet level and public subnet level. The next few points discuss the exact inbound / outbound rules to be added at each component level.
• The below Outbound rules should be added to the security group that is attached to the ec2-instance

• The below Inbound rules should be added to private subnet ACL (Access Control List)

• The below Outbound rules should be added to private subnet ACL (Access Control List)

• The below Inbound rules should be added to public subnet ACL (Access Control List) where the NAT Gateway is created

• The below Outbound rules should be added to public subnet ACL (Access Control List) where the NAT Gateway is created

Testing the connectivity

• Login/ssh to your ec2 instance
• On a command line, try ping to a website. It should be successful.

Trouble shooting VPC Traffic flow issues

• You can trouble shoot your traffic flow issue by enabling flow logs* at VPC level / Subnet level and analysing the logs that are generated based on the traffic allowed / rejected at network interface level.

* Prices are applicable for creating and using the AWS services as per AWS price charts. Please go through the same and understand the cost implications before creating and utilising the AWS services.

References

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

https://aws.amazon.com/premiumsupport/knowledge-center/ec2-internet-connectivity/