Amazon Virtual Private Cloud
User Guide (API Version 2014-06-15)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

NAT Instances

Instances that you launch into a private subnet in a virtual private cloud (VPC) can't communicate with the Internet. You can optionally use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound traffic to the Internet, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.

For a general overview of VPCs and subnets, see What is Amazon VPC?. For more information about public and private subnets, see Subnet Routing.

Note

We use the term NAT instance; however, the primary role of a NAT instance is actually port address translation (PAT). We chose to use the more widely known term, NAT. For more information about NAT and PAT, see the Wikipedia article about network address translation.

NAT Instance Basics

The following figure illustrates the NAT instance basics. The main route table sends the traffic from the instances in the private subnet to the NAT instance in the public subnet. The NAT instance sends the traffic to the Internet gateway for the VPC. The traffic is attributed to the Elastic IP address of the NAT instance. The NAT instance specifies a high port number for the response; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.

NAT instance setup

Setting up the NAT Instance

You can use the VPC wizard to set up a VPC with a NAT instance; for more information, see Scenario 2: VPC with Public and Private Subnets. Otherwise, you can set up the NAT instance manually using the steps below.

  1. Create a VPC with two subnets.

    1. Create a VPC (see Creating a VPC)

    2. Create two subnets (see Creating a Subnet)

    3. Attach an Internet gateway to the VPC (see Attaching an Internet Gateway)

    4. Create a custom route table that sends traffic destined outside the VPC to the Internet gateway, and then associate it with one subnet, making it a public subnet (see Creating a Custom Route Table)

  2. Create the NATSG security group (see Creating the NATSG Security Group). You'll specify this security group when you launch the NAT instance.

  3. Launch an instance into your public subnet from an AMI that's been configured to run as a NAT instance. Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string amzn-ami-vpc-nat in their names, so you can search for them in the Amazon EC2 console.

    1. Open the Amazon EC2 console.

    2. On the dashboard, click the Launch Instance button, and complete the wizard as follows:

      1. On the Choose an Amazon Machine Image (AMI) page, select the Community AMIs category, and search for amzn-ami-vpc-nat. In the results list, each AMI's name includes the version to enable you to select the most recent AMI, for example, 2013.09. Click Select.

      2. On the Choose an Instance Type page, select the instance type, then click Next: Configure Instance Details.

      3. On the Configure Instance Details page, select the VPC you created from the Network list, and select your public subnet from the Subnet list.

      4. (Optional) Select the Public IP check box to request that your NAT instance receives a public IP address. If you choose not to assign a public IP address now, you can allocate an Elastic IP address and assign it to your instance after it's launched. For more information about assigning a public IP at launch, see Assigning a Public IP Address During Launch. Click Next: Add Storage.

      5. You can choose to add storage to your instance, and on the next page, you can add tags. Click Next: Configure Security Group when you are done.

      6. On the Configure Security Group page, select the Select an existing security group option, and select the NATSG security group that you created. Click Review and Launch.

      7. Review the settings that you've chosen. Make any changes that you need, and then click Launch to choose a key pair and launch your instance.

  4. (Optional) Log on to the NAT instance, make any modifications that you need, and then create your own AMI that's configured to run as a NAT instance. You can use this AMI the next time that you need to launch a NAT instance. For more information about creating an AMI, see Creating Amazon EBS-Backed AMIs in the Amazon EC2 User Guide for Linux Instances.

  5. Disable the SrcDestCheck attribute for the NAT instance (see Disabling Source/Destination Checks)

  6. If you did not assign a public IP address to your NAT instance during launch (step 3), you need to associate an Elastic IP address with it.

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. Click Elastic IPs in the navigation pane.

    3. Click the Allocate New Address button.

    4. In the Allocate New Address dialog box, in the Network platform list, select EC2-VPC, and then click Yes, Allocate.

    5. Select the Elastic IP address from the list, and then click the Associate Address button.

    6. In the Associate Address dialog box, select the network interface for the NAT instance. Select the address to associate the EIP with from the Private IP address list, and then click Yes, Associate.

  7. Update the main route table to send traffic to the NAT instance. For more information, see Updating the Main Route Table.

Launching a NAT Instance Using the Command Line

To launch a NAT instance into your subnet, use one of the following commands. For more information about these command line interfaces, see Accessing Amazon VPC.

To get the ID of an AMI that's configured to run as a NAT instance, use a command to describe images, and use filters to return results only for AMIs that are owned by Amazon, and that have the amzn-ami-vpc-nat string in their names. The following example uses the AWS CLI:

PROMPT> aws ec2 describe-images --filter Name="owner-alias",Values="amazon" --filter Name="name",Values="amzn-ami-vpc-nat*" 

Creating the NATSG Security Group

Define the NATSG security group as described in the following table to enable your NAT instance to receive Internet-bound traffic from instances in a private subnet, as well as SSH traffic from your network. The NAT instance can also send traffic to the Internet, which enables the instances in the private subnet to get software updates.

NATSG: Recommended Rules

Inbound
Source Protocol Port Range Comments

10.0.1.0/24

TCP

80

Allow inbound HTTP traffic from servers in the private subnet

10.0.1.0/24

TCP

443

Allow inbound HTTPS traffic from servers in the private subnet

Public IP address range of your home network

TCP

22

Allow inbound SSH access to the NAT instance from your home network (over the Internet gateway)

Outbound

Destination Protocol Port Range Comments

0.0.0.0/0

TCP

80

Allow outbound HTTP access to the Internet

0.0.0.0/0

TCP

443

Allow outbound HTTPS access to the Internet


To create the NATSG security group

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Click Security Groups in the navigation pane.

  3. Click the Create Security Group button.

  4. In the Create Security Group dialog box, specify NATSG as the name of the security group, and provide a description. Select the ID of your VPC from the VPC list, and then click Yes, Create.

  5. Select the NATSG security group that you just created. The details pane displays the details for the security group, plus tabs for working with its inbound and outbound rules.

  6. Add rules for inbound traffic using the Inbound Rules tab as follows:

    1. Click Edit.

    2. Click Add another rule, and select HTTP from the Type list. In the Source field, specify the IP address range of your private subnet.

    3. Click Add another rule, and select HTTPS from the Type list. In the Source field, specify the IP address range of your private subnet.

    4. Click Add another rule, and select SSH from the Type list. In the Source field, specify the public IP address range of your network.

    5. Click Save.

  7. Add rules for outbound traffic using the Outbound Rules tab as follows:

    1. Click Edit.

    2. Click Add another rule, and select HTTP from the Type list. In the Destination field, specify 0.0.0.0/0

    3. Click Add another rule, and select HTTPS from the Type list. In the Destination field, specify 0.0.0.0/0

    4. Click Save.

For more information about security groups, see Security Groups for Your VPC.

Disabling Source/Destination Checks

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.

You can disable the SrcDestCheck attribute for a NAT instance that's either running or stopped using the console or the command line.

To disable source/destination checking using the console

  1. Open the Amazon EC2 console.

  2. Click Instances in the navigation pane.

  3. Select the NAT instance, click Actions, and then click Change Source/Dest. Check.

  4. For a NAT instance, verify that this attribute is disabled. Otherwise, click Yes, Disable.

To disable source/destination checking using the command line

You can use one of the following commands. For more information about these command line interfaces, see Accessing Amazon VPC.

Updating the Main Route Table

Update the main route table as described in the following procedure. By default, the main route table enables the instances in your VPC to communicate with each other. We'll add a route that sends all other subnet traffic to the NAT instance.

To update the main route table

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Route Tables.

  3. Select the main route table for your VPC. The details pane displays tabs for working with its routes, associations, and route propagation.

  4. On the Routes tab, click Edit, specify 0.0.0.0/0 in the Destination box, select the instance ID of the NAT instance from the Target list, and then click Save.

  5. On the Subnet Associations tab, click Edit, and then select the Associate check box for the subnet. Click Save.

For more information about route tables, see Route Tables.

Testing Your NAT Instance Configuration

After you have launched a NAT instance and completed the configuration steps above, you can perform a test to check if an instance in your private subnet can access the Internet through the NAT instance. To do this, update your NAT instance's security group rules to accept inbound ICMP traffic, launch an instance into your private subnet, configure SSH agent forwarding to access instances in your private subnet, connect to your instance, and then test the Internet connectivity.

To update your NAT instance's security group

  1. Open the Amazon EC2 console.

  2. In the navigation pane, click Security Groups.

  3. Find the security group associated with your NAT instance, and click Edit in the Inbound tab.

  4. Click Add Rule, select All ICMP from the Type list, and select Custom IP from the Source list. Enter the IP address range of your private subnet, for example, 10.0.1.0/24. Click Save.

To launch an instance into your private subnet

  1. Open the Amazon EC2 console.

  2. In the navigation pane, click Instances.

  3. Launch an instance into your private subnet. For more information, see Launching an Instance into Your Subnet. Ensure that you configure the following options in the launch wizard, and then click Launch:

    • On the Choose an Amazon Machine Image (AMI) page, select an Amazon Linux AMI from the Quick Start category.

    • On the Configure Instance Details page, select your private subnet from the Subnet list, and do not assign a public IP address to your instance.

    • On the Configure Security Group page, ensure that your security group includes a rule that allows SSH access from your NAT instance's private IP address, or from the IP address range of your public subnet.

    • In the Select an existing key pair or create a new key pair dialog box, select the same key pair you used to launch the NAT instance.

To configure SSH agent forwarding for Linux or OS X

  1. From your local machine, add your private key to the authentication agent.

    For Linux, use the following command:

    PROMPT> ssh-add -c mykeypair.pem

    For OS X, use the following command:

    PROMPT> ssh-add -K mykeypair.pem
  2. Connect to your NAT instance using the -A option to enable SSH agent forwarding, for example:

    ssh -A ec2-user@54.0.0.123

To configure SSH agent forwarding for Windows (PuTTY)

  1. Download and install Pageant from the PuTTY download page, if not already installed.

  2. Convert your private key to .ppk format. For more information, see Converting Your Private Key Using PuTTYgen.

  3. Start Pageant, and then click Add Key. Select the .ppk file you created, enter the passphrase if required, click OK, and then close the Pageant Key List window.

  4. Start a PuTTY session to connect to your NAT instance. In the Auth category, ensure that you select the Allow agent forwarding option, and leave the Private key file for authentication field blank.

To test the Internet connection

  1. Test that your NAT instance can communicate with the Internet by running the ping command for a website that has ICMP enabled; for example:

    PROMPT> ping ietf.org
    
    PING ietf.org (4.31.198.44) 56(84) bytes of data.
    64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=1 ttl=48 time=74.9 ms
    64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=2 ttl=48 time=75.1 ms
    ...

    Press Ctrl+C on your keyboard to cancel the ping command.

  2. From your NAT instance, connect to your instance in your private subnet by using its private IP address, for example:

    PROMPT> ssh ec2-user@10.0.1.123
  3. From your private instance, test that you can connect to the Internet by running the ping command:

    PROMPT> ping ietf.org
    
    PING ietf.org (4.31.198.44) 56(84) bytes of data.
    64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=1 ttl=47 time=86.0 ms
    64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=2 ttl=47 time=75.6 ms
    ...

    Press Ctrl+C on your keyboard to cancel the ping command.

    If the ping command fails, check the following information:

    • Check that your NAT instance's security group rules allow inbound ICMP traffic from your private subnet. If not, your NAT instance cannot receive the ping command from your private instance.

    • Check that you've configured your route tables correctly. For more information, see Updating the Main Route Table.

    • Ensure that you've disabled source/destination checking for your NAT instance. For more information, see Disabling Source/Destination Checks.

    • Ensure that you are pinging a website that has ICMP enabled. If not, you will not receive reply packets. To test this, perform the same ping command from the command line terminal on your own computer.

  4. (Optional) Terminate your private instance if you no longer require it. For more information, see Terminate Your Instance in the Amazon EC2 User Guide for Linux Instances.