Creating a NAT Gateway in AWS
In this lab, we will demonstrate how to set up a NAT Gateway to allow an EC2 instance in a private subnet to access the Internet.
In this lab, we will demonstrate how to set up a NAT Gateway to allow an EC2 instance on a private subnet to access the Internet (for updates, etc). The lab environment has been prepared with a private subnet and a public subnet. We will begin by creating an EC2 instance for each of those subnets.
We will set up a new instance on the existing private subnet to demonstrate the benefit of a NAT Gateway.
- Navigate to the Instances section of the EC2 Dashboard.
- Click the Launch Instance button.
- Locate the
Amazon Linux AMIand click the Select button.
- Ensure that
t2.microis selected and click Next: Configure Instance Details.
- For the Subnet setting, select the subnet with the name of
- Click the Review and Launch button.
- Notice the default Security Groups settings have allowed SSH access.
- Click the Launch button.
- Create and download a new key pair (this guide uses the key pair name of
Since a private subnet does not have an Internet gateway attached, the instance we just created within it cannot interact with the outside world. This can be beneficial from a security standpoint. If there is no way to connect to it over the Internet, the chances of unauthorized access are decreased. If the instance itself can't access the Internet, however, it's easy to realize some problems. For example, the instance may need to download security updates from the Internet. .
To demonstrate this problem, we will connect to the instance we just created via SSH and attempt to rum
sudo yum update. Since the instance is private, however, we will need to create a new instance on the public subnet and connect through it.
- Launch another
t2.microinstance using the
Amazon Linux AMI.
- This time, choose the Subnet named
Publicin the Configure Instance Details section.
- The rest of the default configuration is fine (notice that the Security Group allows SSH by default).
- Click the Launch button and choose to use the existing key pair that you created earlier (
Just as a reminder: We intend to connect to the private instance, but must do so from the public instance since it is in the same VPC.
- Open a new terminal window.
cdto navigate to the location of your downloaded
chmod 400 nat-lab-keypairto set the proper permissions on it.
- Add the key to our ssh agent with
- Connect to the public instance via SSH. Use the
-Aoption so we can easily connect to the private instance in a moment:
ssh -A ec2-user@<HOSTNAME-OF-PUBLIC-INSTANCE>(you can find the public instance hostname by right clicking the public instance in the Instances section of the EC2 dashboard, then clicking "Connect").
Once logged into the public instance, we will use the local IP of the private instance and connect with SSH.
Now we are logged into the private instance. Run the following command:
sudo yum update
The command will time out since the instance cannot access the internet. We can solve this problem with a NAT Gateway.
Leave the terminal window open and connected to the private instance. Head back to your browser.
- Navigate to the VPC Dashboard in AWS.
- Click the NAT Gateways link in to the left of the page.
- Create a new NAT Gateway.
- We want to assign this new NAT Gateway to the Public subnet so it can access the Internet. Click the text field for the Subnet setting. Select the subnet titled
- Use the Create New EIP button to create and select a new Elastic IP.
- Click the Edit Route Tables button.
- Select the route table associated to our Private subnet. Note: The private subnet was not explicitly assigned to the route table containing an Internet Gateway; therefore, it was implicitly associated to the Main route table. The Main route table in the list.
- Click on the Routes tab in the settings pane at the bottom of the page.
- Click the Edit.
- Add another route with a Destination of
0.0.0.0/0(signifying any/all IP addresses).
- Choose the NAT we just created as the Target (identified by the
- Click the Save button.
Wait a few moments while the NAT Gateway starts up. You can check its Status by navigating back to the NAT Gateways section of the VPC Dashboard. Use the refresh button occasionally. Once the status goes from
Available, navigate back to the terminal window that's currently connect to the Private instance.
Recall that the instance had no access to the internet earlier. The
sudo yum update command timed out. Since we have now added a NAT Gateway and configured it properly, re-running the command will work as expected.
sudo yum update
You should see the expected output and be able access anything else that requires the Internet. Remember that the Public instance we used to connect to the Private one is not necessary here. It was only used to let us connect to the private instance to demonstrate the function of the NAT Gateway. The Private instance is now able to pull in updates, download files, etc, but cannot be accessed directly from the Internet.