Amazon Virtual Private Cloud
User Guide (API Version 2014-10-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Adding an Internet Gateway to Your VPC

By default, instances that you launch into a virtual private cloud (VPC) can't communicate with the Internet. You can enable access to the Internet from your VPC by attaching an Internet gateway to the VPC, ensuring that your instances have a public IP address, creating a custom route table, and updating your security group rules.

Your default VPC comes with an Internet gateway, and instances launched into a default subnet receive a public IP address by default, unless you specify otherwise during launch, or you modify the subnet's public IP address attribute. Therefore, instances that you launch into a default subnet can automatically communicate with the Internet. For more information, see Your Default VPC and Subnets.

Instances that you launch into a nondefault subnet do not receive a public IP address by default and therefore can't communicate with the Internet, unless you specifically assign one during launch, or you modify the subnet's public IP address attribute. For more information about assigning a public IP address at launch, see Assigning a Public IP Address During Launch. For more information about modifying your subnet's public IP addressing attribute, see Modifying Your Subnet's Public IP Addressing Behavior. You can also enable Internet access for instances that you launch into a nondefault subnet by attaching an Internet gateway to the VPC, creating a custom route table, updating your security group rules, and associating an Elastic IP address with each instance.

When you add a new subnet to your VPC, you must set up the routing and security that you want for the subnet. You can do this manually, as described on this page, or use the VPC wizard to simplify the process. For example, depending on the option that you select, the VPC wizard adds an Internet gateway to your VPC and updates the route table so that your instances can communicate with the Internet. For more information about using the VPC wizard to create a subnet with an Internet gateway, see Scenario 1: VPC with a Public Subnet Only or Scenario 2: VPC with Public and Private Subnets.

The following sections describe how to set up a subnet manually to support Internet access.

When you are finished setting up the subnet, your VPC is configured as shown in the following diagram.

Using an Internet gateway

Creating a Subnet

To add a subnet to your VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Subnets, and then click Create Subnet.

  3. In the Create Subnet dialog box, select the VPC, select the Availability Zone, specify the CIDR range for the subnet, and then click Yes, Create.

For more information about subnets, see Your VPC and Subnets.

Attaching an Internet Gateway

To create an Internet gateway and attach it to your VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Internet Gateways, and then click Create Internet Gateway.

  3. In the Create Internet Gateway dialog box, you can optionally name your Internet gateway, and then click Yes, Create.

  4. Select the Internet gateway that you just created, and then click Attach to VPC.

  5. In the Attach to VPC dialog box, select your VPC from the list, and then click Yes, Attach.

Creating a Custom Route Table

When you create a subnet, we automatically associate it with the main route table for the VPC. By default, the main route table doesn't contain a route to an Internet gateway. The following procedure creates a custom route table with a route that sends traffic destined outside the VPC to the Internet gateway, and then associates it with your subnet.

To create a custom route table

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Route Tables, and then click Create Route Table.

  3. In the Create Route Table dialog box, optionally name your route table, then select your VPC, and then click Yes, Create.

  4. Select the custom route table that you just created. The details pane displays tabs for working with its routes, associations, and route propagation.

  5. On the Routes tab, click Edit, specify 0.0.0.0/0 in the Destination box, select the Internet gateway ID in the Target list, and then click Save.

  6. On the Subnet Associations tab, click Edit, select the Associate check box for the subnet, and then click Save.

For more information about route tables, see Route Tables.

Updating the Security Group Rules

Your VPC comes with a default security group. Each instance that you launch into a VPC is automatically associated with its default security group. The default settings for a default security group allow no inbound traffic from the Internet and allow all outbound traffic to the Internet. Therefore, to enable your instances to communicate with the Internet, create a new security group that allows public instances to access the Internet.

To create a new security group and associate it with your instances

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Security Groups, and then click Create Security Group.

  3. In the Create Security Group dialog box, specify a name for the security group and a description. Select the ID of your VPC from the VPC list, and then click Yes, Create.

  4. Select the security group. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.

  5. On the Inbound Rules tab, click Edit. Click Add Rule, and complete the required information. For example, select HTTP or HTTPS from the Type list, and enter the Source as 0.0.0.0/0. Click Save when you're done.

  6. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  7. In the navigation pane, click Instances .

  8. Right-click the instance, and then select Change Security Groups.

  9. In the Change Security Groups dialog box, clear the check box for the currently selected security group, and select the new one. Click Assign Security Groups.

For more information about security groups, see Security Groups for Your VPC.

Adding Elastic IP Addresses

After you've launched an instance into the subnet, you must assign it an Elastic IP address if you want it to be reachable from the Internet.

Note

If you assigned a public IP address to your instance during launch, then your instance is reachable from the Internet, and you do not need to assign it an Elastic IP address. For more information about IP addressing for your instance, see IP Addressing in Your VPC.

To allocate an Elastic IP address and assign it to an instance using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Elastic IPs.

  3. Click the Allocate New Address button.

  4. In the Allocate New Address dialog box, in the Network platform list, select EC2-VPC, and then click Yes, Allocate.

  5. Select the Elastic IP address from the list, and then click the Associate Address button.

  6. In the Associate Address dialog box, select Instance or Network Interface from the Associate with list, and then either the instance or network interface ID. Select the private IP address to associate the Elastic IP address with from the Private IP address list, and then click Yes, Associate.

For more information about Elastic IP addresses, see Elastic IP Addresses.

Detaching an Internet Gateway from Your VPC

If you no longer need Internet access for instances that you launch into a nondefault VPC, you can detach an Internet gateway from a VPC. You can't detach an Internet gateway if the VPC has instances with associated Elastic IP addresses.

To detach an Internet gateway

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Elastic IPs.

  3. Select the IP address, click the Disassociate Address button, and then click Yes, Disassociate.

  4. In the navigation pane, click Internet Gateways .

  5. Select the Internet gateway and click Detach from VPC.

  6. In the Detach from VPC dialog box, click Yes, Detach.

Deleting an Internet Gateway

If you no longer need an Internet gateway, you can delete it. You can't delete an Internet gateway if it's still attached to a VPC.

To delete an Internet gateway

  1. Select the Internet gateway and click Delete.

  2. In the Delete Internet Gateway dialog box, click Yes, Delete.

API and Command Overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available APIs, see Accessing Amazon VPC.

Create an Internet gateway

Attach an Internet gateway to a VPC

Describe an Internet gateway

Detach an Internet gateway from a VPC

Delete an Internet gateway