Enabling Internet Access for Private Instances: Setting Up NAT Gateway in AWS

ByAkrur Neupane Hours Updated on Categories Networking

In AWS Virtual Private Cloud (VPC) configurations, you might have private EC2 instances that require access to the Internet or other AWS cloud services. You can set up a Network Address Translation (NAT) Gateway to enable these private instances to communicate with the outside world. 

Architecture Diagram of the NAT Gateway
Architecture Diagram of the NAT Gateway

How a NAT Gateway Works:

  1. Private instances within the private subnet send their outbound traffic to the NAT Gateway.
  2. The NAT Gateway translates the source IP addresses of the outbound traffic to its own Elastic IP address.
  3. The NAT Gateway then forwards the traffic to the Internet.
  4. When responses come back from the Internet, the NAT Gateway routes the responses back to the private instances that initiated the requests based on the established connections.

In the NAT Gateway, AWS manages the NAT functionality as a managed service, simplifying configuration and maintenance. Instead of paying for and supporting a public EC2  instance you just pay for the GB processed through the gateway.

Setting up a NAT Gateway is super simple. Let’s walk through a quick lab where we set up a Bastion Host to connect into a private EC2 instance and then use a NAT Gateway to let traffic out to the outside world.

Step 1: Launch a Bastion Host

A bastion host is a publicly accessible server located in a public subnet that acts as a bridge between your local machine and private instances in a Virtual Private Cloud (VPC). It serves as a secure entry point for accessing private instances in a controlled way. 

In the EC2 Dashboard, select “Launch Instance” to create a new EC2 instance.

Choose an appropriate Amazon Machine Image (AMI) for your bastion host. 

Configure the instance details, including the public subnet, instance type, and any additional storage or tags.

Configure the security group for the bastion host. Ensure that it allows incoming SSH (port 22) traffic from your IP address.

Launching a bastion host

Launch the bastion host instance.

Step 2: Launching EC2 Instances in the Private Subnet

In the EC2 Dashboard, select “Launch Instance” to create a new EC2 instance.

Configure the instance details, such as name, instance type, etc.

Create and Download the key pair on your machine. We will need that later.

Configure the instance details and select the private subnet you created. 

Configuring Network Settings

Complete the instance setup, including security groups and key pairs, as needed. Allow SSH Access from Bastion Host.

Adding SSH access from Bastion Host

Launch the EC2 instance.

Step 3: Configure SSH Access

On your local machine, open a terminal and use the SSH key pair associated with your bastion host to connect. 

(Replace /path/to/your/keypair.pem with the path to your SSH private key file and bastion-host-public-ip with the Elastic IP of your bastion host.)

ssh -i /path/to/your/keypair.pem ec2-user@bastion-host-public-ip
SSH to the private instance

Step 4: SSH into Private Instances

Create a new file named DemoKeyPair.pem in the instance.

nano DemoKeyPair.pem
Command to create a new file

Paste the content of the key pair of your Private EC2 instance in the editor. 

Pasting the private key on the file

Save it. (Ctrl + X, then Yes)

Change the ownership of the pem file.

chmod 0400 DemoKeyPair.pem

After that, use SSH agent forwarding to securely access your private instances:

ssh -i "privateInstanceKey.pem" ubuntu@private-instance-private-ip

(Replace private-instance-private-ip with the private IP address of the target private instance and the privateInstanceKey.pem with the pem file name.)

Accessing the private instance through SSH

Let’s check if there is internet access from the private instance. 

Showing there is no internet access for the private instance. 
Showing there is no internet access for the private instance. 

Step 5: Creating a NAT Gateway

In the VPC Dashboard, go to “NAT Gateways” and click “Create NAT Gateway.”

Creating NAT Gateway

Give the name to NAT Gateway. 

Choose the public subnet where the NAT Gateway should reside.

Adding nat gateway configuration details 

Choose the connectivity type as “Public.”

Click on “Allocate Elastic IP” to allocate the elastic IP address for the NAT Gateway.

Then click on “Create the NAT Gateway.

Allocating elastic IP address

The gateway is being created. 

Step 6: Editing a Route Table for Private Subnet

Go to the VPC Dashboard and select “Route Tables.”

Select your route table for the private subnet.

Click on “Actions”, then on “Edit Routes.”

Editing the private subnet routes

Choose destination as “0.0.0.0/0”, target as “NAT Gateway” and select the NAT Gateway that we have created. 

Configuring the route details

Click on “Save changes.” 

Now we have a rule that is sending to our NAT Gateway. 

Step 7: Testing Internet Connectivity

Wait for the NAT Gateway status to be changed to “available.” 

From the bastion host, SSH into your private instances to confirm internet connectivity.

Testing the Internet connectivity

This setup allows your private instances to communicate with the Internet while maintaining a high level of security. Always ensure that your security groups and network configurations are set up correctly to maintain the integrity of your AWS resources.

Recommended Tool: ManageEngine OpManager

  • Multi-vendor Network Monitoring
  • Simple Installation & Setup
  • Intuitive UI
  • Complete Visibility
  • Intelligent Detections
  • Easy Resolutions

Avatar

Cloud Architect

I'm a Cloud Architect with experience in AWS services, Docker, Git, Github Actions, YAML, Ansible, Jenkins, Linux, and other DevOps tools. I specialize in building and managing scalable infrastructure solutions, automating processes, and implementing CI/CD practices.

Leave a Reply

Your email address will not be published. Required fields are marked *