Amazon Virtual Private Cloud
User Guide (API Version 2014-10-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Internet Gateways

An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic. An Internet gateway serves two purposes: to provide a target in your VPC route tables for Internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IP addresses.

To enable access to or from the Internet for instances in a VPC subnet, you must attach an Internet gateway to your VPC, ensure that your subnet's route table points to the Internet gateway, ensure that instances in your subnet have public IP addresses or Elastic IP addresses, and ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.

To use an Internet gateway, your subnet's route table must contain a route that directs Internet-bound traffic to the Internet gateway. You can scope the route to all destinations not explicitly known to the route table (0.0.0.0/0), or you can scope the route to a narrower range of IP addresses; for example, the public IP addresses of your company’s public endpoints outside of AWS, or the Elastic IP addresses of other Amazon EC2 instances outside your VPC. If your subnet is associated with a route table that has a route to an Internet gateway, it's known as a public subnet. However, the Internet gateway route is not sufficent to provide Internet access to instances in the subnet. For more information about public and private subnets, see Your VPC with Subnets.

To enable an instance in your public subnet to communicate with the Internet, it must have a public IP address or an Elastic IP address that's associated with a private IP address on your instance. Your instance is only aware of the private (internal) IP address space defined within the VPC and subnet. The Internet gateway logically provides the one-to-one NAT on behalf of your instance, so that when traffic leaves your VPC subnet and goes to the Internet, the reply address field is set to the public IP address or Elastic IP address of your instance, and not its private IP address. Conversely, traffic that's destined for public IP address or Elastic IP address of your instance has its destination address translated into the instance's private IP address before the traffic is delivered to the VPC.

Your default VPC comes with an Internet gateway, and instances launched into a default subnet receive a public IP address by default, unless you specify otherwise during launch, or you modify the subnet's public IP address attribute. Therefore, instances that you launch into a default subnet can automatically communicate with the Internet. For more information, see Your Default VPC and Subnets.

Instances that you launch into a nondefault subnet may or may not be able to communicate with the Internet, depending on how you create and configure your VPC. For example, if you use the VPC wizard to create your VPC, depending on the option that you select, the VPC wizard adds an Internet gateway to your VPC and updates the route table so that your instances can communicate with the Internet. For more information about using the VPC wizard to create a subnet with an Internet gateway, see Scenario 1: VPC with a Public Subnet Only or Scenario 2: VPC with Public and Private Subnets. Instances that you launch into a nondefault subnet do not receive a public IP address by default and therefore can't communicate with the Internet, unless you specifically assign one during launch, or you modify the subnet's public IP address attribute. For more information about assigning a public IP address at launch, see Assigning a Public IP Address During Launch. For more information about modifying your subnet's public IP addressing attribute, see Modifying Your Subnet's Public IP Addressing Behavior.

When you add a new subnet to your VPC, you must set up the routing and security that you want for the subnet.

Creating a VPC with an Internet Gateway

The following sections describe how to set up a subnet manually to support Internet access.

When you are finished setting up the subnet, your VPC is configured as shown in the following diagram.

Using an Internet gateway

Creating a Subnet

To add a subnet to your VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Subnets, and then click Create Subnet.

  3. In the Create Subnet dialog box, select the VPC, select the Availability Zone, specify the CIDR range for the subnet, and then click Yes, Create.

For more information about subnets, see Your VPC and Subnets.

Attaching an Internet Gateway

To create an Internet gateway and attach it to your VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Internet Gateways, and then click Create Internet Gateway.

  3. In the Create Internet Gateway dialog box, you can optionally name your Internet gateway, and then click Yes, Create.

  4. Select the Internet gateway that you just created, and then click Attach to VPC.

  5. In the Attach to VPC dialog box, select your VPC from the list, and then click Yes, Attach.

Creating a Custom Route Table

When you create a subnet, we automatically associate it with the main route table for the VPC. By default, the main route table doesn't contain a route to an Internet gateway. The following procedure creates a custom route table with a route that sends traffic destined outside the VPC to the Internet gateway, and then associates it with your subnet.

To create a custom route table

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Route Tables, and then click Create Route Table.

  3. In the Create Route Table dialog box, optionally name your route table, then select your VPC, and then click Yes, Create.

  4. Select the custom route table that you just created. The details pane displays tabs for working with its routes, associations, and route propagation.

  5. On the Routes tab, click Edit, specify 0.0.0.0/0 in the Destination box, select the Internet gateway ID in the Target list, and then click Save.

  6. On the Subnet Associations tab, click Edit, select the Associate check box for the subnet, and then click Save.

For more information about route tables, see Route Tables.

Updating the Security Group Rules

Your VPC comes with a default security group. Each instance that you launch into a VPC is automatically associated with its default security group. The default settings for a default security group allow no inbound traffic from the Internet and allow all outbound traffic to the Internet. Therefore, to enable your instances to communicate with the Internet, create a new security group that allows public instances to access the Internet.

To create a new security group and associate it with your instances

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Security Groups, and then click Create Security Group.

  3. In the Create Security Group dialog box, specify a name for the security group and a description. Select the ID of your VPC from the VPC list, and then click Yes, Create.

  4. Select the security group. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.

  5. On the Inbound Rules tab, click Edit. Click Add Rule, and complete the required information. For example, select HTTP or HTTPS from the Type list, and enter the Source as 0.0.0.0/0. Click Save when you're done.

  6. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  7. In the navigation pane, click Instances .

  8. Right-click the instance, and then select Change Security Groups.

  9. In the Change Security Groups dialog box, clear the check box for the currently selected security group, and select the new one. Click Assign Security Groups.

For more information about security groups, see Security Groups for Your VPC.

Adding Elastic IP Addresses

After you've launched an instance into the subnet, you must assign it an Elastic IP address if you want it to be reachable from the Internet.

Note

If you assigned a public IP address to your instance during launch, then your instance is reachable from the Internet, and you do not need to assign it an Elastic IP address. For more information about IP addressing for your instance, see IP Addressing in Your VPC.

To allocate an Elastic IP address and assign it to an instance using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Elastic IPs.

  3. Click Allocate New Address.

  4. In the Allocate New Address dialog box, in the Network platform list, select EC2-VPC, and then click Yes, Allocate.

  5. Select the Elastic IP address from the list, and then click Associate Address.

  6. In the Associate Address dialog box, select Instance or Network Interface from the Associate with list, and then either the instance or network interface ID. Select the private IP address to associate the Elastic IP address with from the Private IP address list, and then click Yes, Associate.

For more information about Elastic IP addresses, see Elastic IP Addresses.

Detaching an Internet Gateway from Your VPC

If you no longer need Internet access for instances that you launch into a nondefault VPC, you can detach an Internet gateway from a VPC. You can't detach an Internet gateway if the VPC has instances with associated Elastic IP addresses.

To detach an Internet gateway

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Elastic IPs.

  3. Select the IP address, click Disassociate Address, and then click Yes, Disassociate.

  4. In the navigation pane, click Internet Gateways .

  5. Select the Internet gateway and click Detach from VPC.

  6. In the Detach from VPC dialog box, click Yes, Detach.

Deleting an Internet Gateway

If you no longer need an Internet gateway, you can delete it. You can't delete an Internet gateway if it's still attached to a VPC.

To delete an Internet gateway

  1. Select the Internet gateway and click Delete.

  2. In the Delete Internet Gateway dialog box, click Yes, Delete.

API and Command Overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available API actions, see Accessing Amazon VPC.

Create an Internet gateway

Attach an Internet gateway to a VPC

Describe an Internet gateway

Detach an Internet gateway from a VPC

Delete an Internet gateway