The topic “NAT Gateway” addresses the Design and Implementation of AWS Networks as highlighted in the AWS Blueprint for the exam guide
What is NAT Gateway?
This is an appliance which is used to connect instances in your private subnet to the internet. So rather than exposing the private instances in the private subnet directly via the Internet gateway, all the traffic can be routed via the NAT gateway.
Now one can also use the NAT instance to drive traffic from private instances. But using the NAT gateway over NAT instances has the following advantages:
1) High availability – NAT gateways in each Availability Zone are implemented with redundancy. Hence it can always be ensured that it will be up and running. With the NAT instance, you have the additional maintenance overhead to ensuring the NAT instance is always up and running.
2) Bandwidth – By default, the NAT gateway supports bursts of up to 10 Gbps. For NAT Instances, this will depend on the Instance type of the Instance.
3) Maintenance – All of the maintenance of the NAT gateway is performed by AWS. In comparison, if you had a NAT instance, you would need to perform all the maintenance
Some of the reasons why you would want to use a NAT instance are in situations where you would want
1) The NAT instance to also be a Bastion Host
2) For the NAT instance to also provide port forwarding
Implementation of NAT Gateway
Step 1) Firstly let’s ensure we have a custom VPC defined for this exercise. If you don’t have one, go ahead and create a custom VPC.
In our example, we have created a Custom VPC which has a CIDR block of 10.0.0.0/16
Step 2) Next let’s ensure we have defined 2 subnets in this VPC. One will be a public subnet and the other will be a private subnet.
So below is the snapshot of the private subnet
And below is the definition of the public subnet
Step 3) We will also ensure that we define a custom route table a shown below and attach it to the Public Subnet
And below will be the Main route table which will be attached to the VPC and Private subnet
Step 4) Next let’s go ahead and define 2 EC2 Instances. One in the private subnet and the other in the public subnet.
We will use the AMI type of Ubuntu and the Instance Type of t2.micro.
Here are both of the servers in the up and running state
For the Private server, ensure the Security Group allows for incoming requests from the public server and the NAT gateway.
Here we mention the private IP of the public server for Internal SSH and the private IP of the NAT gateway for Internet access.
Step 5) Next we need to create the NAT gateway
Go ahead to the VPC section and create the NAT gateway.
In the definition, just choose the Subnet which is the public subnet. If you don’t have an Elastic IP, you can create a new one via this screen.
Initially, the NAT gateway will be in the pending state as it is being provisioned.
Once the NAT gateway has been provisioned it will be in the available state.
Step 6) Now we need to modify the Route tables so that the Route in the main route table has a route via the NAT gateway.
Step 7) Now let’s connect to the server in the public subnet. Ensure the pem key file is copied to the server so that we can connect to the private server from the public server.
Also, ensure the right permissions are given to the key pair.
Now go ahead and connect to the private server from the public server via the following command
ssh -i “awsireland.pem” [email protected]
Step 8) To confirm that the private server can connect to the internet, update the packages on the private server
You will see that this works and this is because the private server is now connecting to the internet via the NAT gateway.
Important Points to Remember
- You cannot associate Security Groups with a NAT gateway. You can associate security groups with your resources behind it to control inbound and outbound traffic.
- You can use a network ACL to control the traffic to and from the subnet in which your NAT gateway resides.
- The NAT gateway must be created in the public subnet
- After creation, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet.
- A NAT gateway supports the following protocols: TCP, UDP, and ICMP.
- Tableau Fundamentals Training Course Launched - August 7, 2020
- Microsoft Azure AI-100 Online Course Launched - August 4, 2020
- Getting Started: Introduction to Jenkins - July 30, 2020
- Splunk Basics Training Course Launched - July 29, 2020
- Preparation Guide for DP-900: Microsoft Azure Data Fundamentals Exam - July 23, 2020