Skip to main content

Creating NAT Gateways and VPC S3 Endpoints

Hands-On Lab

 

Photo of Craig Arcuri

Craig Arcuri

AWS Training Architect II in Content

Length

00:30:00

Difficulty

Advanced

This Learning Activity will focus on the creation of a NAT Gateway that will provide access for a private EC2 instance to an S3 Bucket. Additionally, a VPC Endpoint will be created, providing a private connection from the AWS Account to the S3 Bucket. The VPC Endpoint can be used, instead of a NAT Gateway, to provide access to AWS resources. In this case, that will be an S3 Bucket. After verifying that we have access to the bucket through the NAT Gateway, we'll delete the NAT Gateway. Then we will verify that we have access through the VPC Endpoint to the S3 Bucket.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Creating NAT Gateways and VPC S3 Endpoints

Introduction

In this hands-on lab, we will create a NAT Gateway that will provide access for a private EC2 instance to an S3 Bucket. Additionally, we will create a VPC endpoint, providing a private connection from the AWS account to the S3 bucket.

Solution

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

Create a NAT Gateway

Connect to Instances

  1. Navigate to EC2.
  2. Click to view the running instances.
  3. Select the public instance.
  4. In the Description section below, copy its public IP address.
  5. Open a terminal session.
  6. In the terminal window, log in to the public instance via SSH:

    ssh linuxacademy@<PUBLIC IP>

    The password is 123456.

  7. In the AWS console, un-check the public instance and select the private instance.
  8. In the Description section below, copy its private IP address.
  9. In the same terminal window you already have open, log in to the private instance via SSH:

    ssh linuxacademy@<PRIVATE IP>

    The password is 123456.

Create NAT Gateway

  1. Open a new browser tab and navigate to VPC.
  2. Click Subnets in the left-hand menu.
  3. Make note of the Subnet ID for the public subnet.
  4. Click NAT Gateways in the left-hand menu.
  5. Click Create NAT Gateway.
  6. Set the following values:
    • Subnet: Select the subnet ID of the public subnet we just made note of
    • Elastic IP Allocation ID: Create New EIP
  7. Click Create a NAT Gateway.

Add Route to Give Private Instance Internet Access

  1. Click Subnets in the left-hand menu.
  2. Select the private subnet.
  3. Click the Route Table tab below.
  4. Click the route table link.
  5. Select the route table listed.
  6. Click the Routes tab below.
  7. Click Edit.
  8. Click Add another route.
  9. Set the following values:
    • Destination: 0.0.0.0/0
    • Target: nat-
  10. Click Save.

Install the Necessary Packages

  1. In the terminal window, su to root:

    su

    The password is 123456.

  2. Update packages:

    apt-get update
  3. Install Python:

    apt-get install python-pip
  4. After the update runs, re-install Python:

    apt-get install python-pip

Create a VPC Endpoint

Install and Configure AWS CLI

  1. Install AWS CLI:

    pip install awscli
  2. Configure the AWS CLI:

    aws configure
  3. Set the following:

    AWS Secret Key ID [NONE]:
    AWS Secret Access Key [NONE]:
    Default regoin name [NONE]: us-east-1
    Default output format [NONE]:

Create S3 Bucket in Command Line

  1. Create S3 bucket (replacing ### with a series of numbers to give it unique name):

    aws s3 mb s3://linuxacademy###   

Create VPC Endpoint

  1. In the AWS console, on the VPC dashboard, click Endpoints in the left-hand menu.
  2. Click Create Endpoint.
  3. Set the following values:
    • Service category: AWS services
    • Service Name: s3
    • VPC: Select the one listed
    • Configure route tables: Select the route table associated with the private subnet
    • Policy: Full Access
  4. Click Create endpoint.

Remove NAT Gateway

  1. Click NAT Gateways in the left-hand menu.
  2. Click the Actions dropdown and select Delete NAT Gateway.
  3. In the confirmation pop-up, click Delete NAT Gateway.
  4. Right-click Subnets in the left-hand menu to open it in a new browser tab.
  5. Select the private subnet.
  6. Click the Route Table tab below.
  7. Note the route to the VPC endpoint has been created, and the route to the NAT gateway still exists.
  8. Back on the NAT gateway page, note the NAT gateway has been deleted.
  9. On the subnets page, still in the Route Tables section, click the route table link.
  10. Select the route table listed.
  11. Click the Routes tab below.
  12. The status for the route to the NAT gateway is now Black Hole.
  13. Click Edit and remove the NAT gateway route.
  14. Click Save.

Verify Access to S3 Bucket via Endpoint

  1. In the terminal window, run:

    aws s3 ls
  2. You should see your S3 bucket listed, meaning you can still access it via the VPC endpoint.

Conclusion

Congratulations on completing this hands-on lab!