Amazon AWS : How To Create NAT Instance in VPC, EC2.

This tutorial will help you configure a NAT instance easily and run private instances behind it which is able to connect to the internet for downloading updates and installing packages.

For that in short we will be performing the following steps,

1] Create a new VPC

2] Create 2 Subnets, One will be a Public Subnet (Route Table Will Be Having IGW Configured) and other will be a Private Subnet.

3] Create 2 Route table, One for Public and other for Private subnet.

4] We will launch an Amazon Linux instance (NAT) in Public Subnet.

5] Configure route table for Private Subnet in such a way that it is configured to talk to the NAT instance we created.

Let us begin,

Create A New VPC
—————

Go to https://console.aws.amazon.com/vpc/

Click on Create VPC, and Provide the details. Here I am using the CIDR block as 10.1.0.0/16. You may use your own as per your requirement. Provide relevant Name Tag and leave all other as default. Hit “Yes, Create” button. The Name I have given for this VPC is “MyNewVPC”

Create 2 Subnets
—————

Go to https://console.aws.amazon.com/vpc/home?region=us-east-1#subnets: (Make sure to change the region accordingly, Here I am using US-EAST-1)

Click on “Create Subnet” and Provide relavent Name Tag I have given as “MyPublicSubnet”, Select the VPC we have just created and add the IPV4 CIDR block as 10.1.1.0/24. Hit “Yes, Create” button

Now let us click on “Create Subnet” again and provide relavent Name Tag I have given as “MyPrivateSubnet”, Select the VPC we have just created and add the IPV4 CIDR block as 10.1.2.0/24. Hit “Yes, Create” button

Now we have both Private and Public subnet created for our VPC.

Create 2 Route table
—————–

Go to https://console.aws.amazon.com/vpc/home?region=us-east-1#routetables: (Make sure to change the region accordingly, Here I am using US-EAST-1)

Click on “Create Route Table” and Provide relevant name then select the VPC we have created and click on “Yes, Create”.  I have created two routes and named them as “My_Public” and “My_Private”

Next step is to modify the Subnets associated with the above route tables we have created. For that go to Subnets > Select “My_Public” > Click on “Subnet Associations” tab and hit EDIT , Select “MyPublicSubnet” and hit Associate. Do the same for “My_Private” with the Subnet associated as “MyPrivateSubnet”. Screenshot below is only for Public Route table.

Create IGW and Attach to VPC
———————–
Go to https://console.aws.amazon.com/vpc/home?region=us-east-1#igws: (Make sure to change the region accordingly, Here I am using US-EAST-1)

Click “Create Internet Gateway”, Name it as “My Own IGW” and hit “Yes, Create”. Once that is done select this IGW you have created and Click on “Attach to VPC” . Select “MyNewVPC”

Modify Route Tables
—————–

The next step is to Modify the Public Route table we have created and add target as the new IGW created in the step above.

In the VPC console, Click “Route Table”, Select the “My_Public” and hit “Routes” tab. Click EDIT

Add destination as “0.0.0.0/0” and Target as “igw-xxxxxxxx” . This will be the IGW we have attached to the VPC. We are all set now.

Launch a new Amazon Linux Instance
————

While launching the instance in Step 3: Configure Instance Details, Make sure to select NETWORK as “MyNewVPC” and Subnet as “MyPublicSubnet”. Auto-assign Public IP option should be Enabled. Leave everything else as default (I have selected Amazon Linux as OS and t2.micro instance type) and Launch instance.

Configure NAT Instance Using IP Tables
———————-

1] Login to NAT Instance using SSH

2] Run this command

sudo iptables -A POSTROUTING -t nat -s 10.1.2.0/24 -j MASQUERADE

3] List IP tables to confirm that the rule is added “iptables -L -t nat” , you should see a similar output as shown below

$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  ip-10-1-2-0.ec2.internal/24  anywhere
$

4] Now enable IP forward,

$ sudo bash -c 'echo "1" > /proc/sys/net/ipv4/ip_forward'
$ cat /proc/sys/net/ipv4/ip_forward
1
$

To make IP_FORWARD permanent after Reboot, Please run this command “sudo sysctl -w net.ipv4.ip_forward=1”

5] Disable source and destination check on this NAT instance from the AWS console. Go To Instances > Select the NAT instnace your have created > Under ACTIONS > NETWORKING click on “Change Source/Dest. Check” and disable it. More information can be found here – http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

5] Let us change the Route table for private route “My_Private” and add this NAT instance as the destination for 0.0.0.0/0

You are all set with NAT instance now. If you are seeing  “Black Hole” as the status check whether the NAT instance is up and running and configured correctly.

Let us launch a private instance and try to connect to it through the NAT instance you have created. You may need to use AGENT Forwarding make sure you allow agent forwarding or Copy the Keypair to the NAT instance and then connect to the private instance using that key which is not always a good practice.

NOTE: You may need to Edit the Security Group of the NAT Instance and Allow HTTP / HTTPS from the Source for example here private subnet CIDR 10.1.2.0/24 or the private istances Security Group.

Then run “yum install telnet” to check whether the private instance is able to connect to internet. Make sure you launch a private instance Under NEW VPC which we have created and with Private Subnet selected.

Leave a Reply

Your email address will not be published. Required fields are marked *