Recent Changes - Search:


Code:


Social:


My journals will take the place of a blog. If you go to the Journal page there is an RSS feed to subscribe with.

(:blogcal group=Journal:)


Sites I take responsibility for

West Volusia, Florida

Documents

Technical

General

Me

Living

Places I frequent

Hobbies

Humor

Items for sale:


Clipboard

edit SideBar

Creating a VPC NAT and Internet Gateway in your VPC

Include our styles below Infobox - invoke as >>infobox<< ... >><<

Codebox: - invoke as >>codebox<< ... >><<

warnbox: - invoke as >>codebox<< ... >><<

editingbox: - invoke as >>codebox<< ... >><<

noticebox: - invoke as >>codebox<< ... >><<

Page bread crumbs: Main - MyPublicTechnicalNotes - SoftwareAndOperatingSystems - Software - Cloud - AWS - HOWTOs - VPCNAT

Pages by tags: (:listtags:)
Subscribe to this wiki: RSS Feed RSS or subscribe to this page for changes: RSS Feed RSS
496 articles have been published so far. Recent changes
(:addThis btn="custom":)

2016-03-22: This site is being moved to my main site at https://kevininscoe.com/wiki as part of a consolidation to one domain.


Subtitle: Adding Internet access outbound to your VPC network.

First if you are wondering what a VPC (Virtual Private Cloud) is read here: http://aws.amazon.com/vpc/faqs/

Problem: I have one VPC with VPN server deployed with our home network and five instances within that VPC, For VPC none are using Elastic IP address for VPC, all instances are running on 10.x.x.0 subnet. We are able to connect the instances using open VPN client. Now our requirement is to have internet for all the instances using Internet gateway configuration. To make this possible what kind of modifications and or additions should I do to my existing network?

Solution: Each subnet has a route table. If you want all instances in a particular subnet to have internet access, you should modify the corresponding route table with a route via the Internet Gateway (igw-xxxxx). This will require every instance to have an Elastic IP associated to it (which exposes your instance to the Internet) or use a NAT instance and forward Internet traffic to this single instance acting as a NAT. That way, all your VPC instances will not be directly accessible from the Internet but will still be able to communicate publicly via the NAT instance.

AWS instructions can be found here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html, http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html#VPC_Scenario2_Implementation, http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html and also http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html

First create the Internet Gateway if it does not already exist:

http://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/Wizard.html

Adding an Internet Gateway to Your VPC. Instances that you launch into a non-default subnet can't communicate with the Internet automatically. You can enable Internet access for instances that you launch into a non-default subnet by attaching an Internet gateway to the VPC, creating a custom route table, updating your security group rules, and associating an Elastic IP address with each instance.

It's important to note the IGW will only associate with one subnet. Therefore we must create what we will refer to as the "public" subnet. Everything on this subnet will automatically reach

  1. Visit AWS Console->VPC->Internet Gateways->Create Internet Gateway. Now select the IGW you have just created and click on the Attach to VPC button and associate with the VPC you want NAT'ed.

Second create an alternate route table for use by our NAT instance:

  1. Visit AWS Console->VPC->Route Tables->Create Route Tables->Use the value 0.0.0.0/0 igw-8588dee9 (the IGW id created by the first step above).

Third create a new public subnet:

  1. Visit AWS Console->VPC->Subnets->Create subnets. Since the NAT instance will be likely the only one on this subnet you can make it small. In my case 10.33.9.0/24.

Fourth build the NAT instance:

Launch an new m1.small instance from ami-vpc-nat-beta and add an Elastic IP to it.

  1. Visit the AWS Console (https://console.aws.amazon.com/) and select EC2 Dashboard service.
  2. EC2->Launch Instance->Classic Wizzard->Community AMI's->Search->"vpc-nat". In my case I selected amazon/ami-vpc-nat-1.1.0-beta.x86-64-ebs AMI ID: ami-f619c29f. Launch into: EC2-VPC. Chose a subnet the flow will be controlled by the route table. To make things more clear you could but the NAT instance into it's own private subnet. In this case 10.33.9.0/24. Be sure to use a unique VPC security group that we will edit later. I called it "NATSG" but you can call it anything.
  3. Instance type: m1.small (1.7GB of memory). You should use at least 1GB of memory for network activity.
  4. Select "Prevention against accidental termination."
  5. Number of Network Interfaces: 1. Select the private network for the first interface. We will add the Elastic IP on a later step.
  6. Now create an Elastic IP for this instance: Elastic IP's->Allocate New Address->EIP used in->VPC>Yes Allocate. Select the EIP and right click on it and chose Associate and select NAT instance.Use the default private subnet unless you have multiple. Click Yes Associate.

Fifth we need to create a new route for our main route table:

  1. Visit AWS Console->VPC->Route Tables->Select the main route table associated with your VPC that you want NAT'ed->Scroll to the bottom of the list of routes->Enter 0.0.0.0/0 (the default route) in the empty blue box->Select the EIP-ID of the EIP when you created the NAT instance and click Add.

Create a custom route table

Sixth edit the security group to allow access:

  1. Now we need to edit your security group to allow inbound SSH access and outbound http (port 80) and https (port 443) (and whatever other ports you need outbound). Visit Security Groups->NATSG (or whatever you called it)->Inbound 22 (SSH) 0.0.0.0/0. Then visit the Outbound tab and add 80 (HTTP) 0.0.0.0/0 and 443(HTTPS)0.0.0.0/0. Test access to your new NAT instance by accessing with SSH and applying the updates.
  2. Apply the Amazon Linux updates: $ sudo yum update

Seventh associate your subnet routes with the main route if not already done so:

  1. Visit AWS Console->VPC->Route Tables->Select the main route table for your VPC->Select Associations Tab->Associate each of your private subnets you want associated with the default route to pass to the internet.

Kevin's Public Wiki maintained and created by Kevin P. Inscoe is licensed under a
Creative Commons Attribution 3.0 United States License.

Back to my web site - http://kevininscoe.com

Edit - History - Print - Recent Changes - Search
Page last modified on May 14, 2013, at 03:15 PM EST