Amazon Virtual Private Cloud
User Guide (API Version 2014-02-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

NAT Instances

Instances that you launch into a private subnet in a virtual private cloud (VPC) can't communicate with the Internet. You can optionally use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound traffic to the Internet, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.

For a general overview of VPCs and subnets, see What is Amazon VPC?. For more information about public and private subnets, see Subnet Routing.

Note

We use the term NAT instance; however, the primary role of a NAT instance is actually port address translation (PAT). We chose to use the more widely known term, NAT. For more information about NAT and PAT, see the Wikipedia article about network address translation.

NAT Instance Basics

The following figure illustrates the NAT instance basics. The main route table sends the traffic from the instances in the private subnet to the NAT instance in the public subnet. The NAT instance sends the traffic to the Internet gateway for the VPC. The traffic is attributed to the Elastic IP address of the NAT instance. The NAT instance specifies a high port number for the response; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.

NAT instance setup

Setting up the NAT Instance

You can use the VPC wizard to set up a VPC with a NAT instance; for more information, see Scenario 2: VPC with Public and Private Subnets. Otherwise, you can set up the NAT instance manually using the steps below.

Important

The VPC console has been redesigned, and you can switch between the old and new interfaces by clicking the link in the preview message at the top of each console page. You can use the old interface during the trial period; however, this topic may refer to features of the new interface only.

  1. Create a VPC with two subnets.

    1. Create a VPC (see Creating a VPC)

    2. Create two subnets (see Creating a Subnet)

    3. Attach an Internet gateway to the VPC (see Attaching an Internet Gateway)

    4. Create a custom route table that sends traffic destined outside the VPC to the Internet gateway, and then associate it with one subnet, making it a public subnet (see Creating a Custom Route Table)

  2. Create the NATSG security group (see Creating the NATSG Security Group). You'll specify this security group when you launch the NAT instance.

  3. Launch an instance into your public subnet from an AMI that's been configured to run as a NAT instance. Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string ami-vpc-nat in their names, so you can search for them in the AWS Management Console.

    1. Open the Amazon EC2 console.

    2. On the dashboard, click the Launch Instance button, and complete the wizard as follows:

      1. On the Choose an Amazon Machine Image (AMI) page, select the Community AMIs category, and search for ami-vpc-nat. Choose the AMI to use from the results list, and click Select.

      2. On the Choose an Instance Type page, select the instance type, then click Next: Configure Instance Details.

      3. On the Configure Instance Details page, select the VPC you created from the Network list, and select your public subnet from the Subnet list.

      4. (Optional) Select the Public IP check box to request that your NAT instance receives a public IP address. If you choose not to assign a public IP address now, you can allocate an Elastic IP address and assign it to your instance after it's launched. For more information about assigning a public IP at launch, see Assigning a Public IP Address During Launch. Click Next: Add Storage.

      5. You can choose to add storage to your instance, and on the next page, you can add tags. Click Next: Configure Security Group when you are done.

      6. On the Configure Security Group page, select the Select an existing security group option, and select the NATSG security group that you created. Click Review and Launch.

      7. Review the settings that you've chosen. Make any changes that you need, and then click Launch to choose a key pair and launch your instance.

  4. (Optional) Log on to the NAT instance, make any modifications that you need, and then create your own AMI that's configured to run as a NAT instance. You can use this AMI the next time that you need to launch a NAT instance. For more information about creating an AMI, see Creating Amazon EBS-Backed AMIs in the Amazon Elastic Compute Cloud User Guide.

  5. Disable the SrcDestCheck attribute for the NAT instance (see Disabling Source/Destination Checks)

  6. If you did not assign a public IP address to your NAT instance during launch (step 3), you need to associate an Elastic IP address with it.

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. Click Elastic IPs in the navigation pane.

    3. Click the Allocate New Address button.

    4. In the Allocate New Address dialog box, in the Network platform list, select EC2-VPC, and then click Yes, Allocate.

    5. Select the Elastic IP address from the list, and then click the Associate Address button.

    6. In the Associate Address dialog box, select the network interface for the NAT instance. Select the address to associate the EIP with from the Private IP address list, and then click Yes, Associate.

  7. Update the main route table to send traffic to the NAT instance. For more information, see Updating the Main Route Table.

Creating the NATSG Security Group

Define the NATSG security group as described in the following table to enable your NAT instance to receive Internet-bound traffic from instances in a private subnet, as well as SSH traffic from your network. The NAT instance can also send traffic to the Internet, which enables the instances in the private subnet to get software updates.

NATSG: Recommended Rules

Inbound
Source Protocol Port Range Comments

10.0.1.0/24

TCP

80

Allow inbound HTTP traffic from servers in the private subnet

10.0.1.0/24

TCP

443

Allow inbound HTTPS traffic from servers in the private subnet

Public IP address range of your network

TCP

22

Allow inbound SSH access to the NAT instance from your network (over the Internet gateway)

Outbound

Destination Protocol Port Range Comments

0.0.0.0/0

TCP

80

Allow outbound HTTP access to the Internet

0.0.0.0/0

TCP

443

Allow outbound HTTPS access to the Internet


To create the NATSG security group

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Click Security Groups in the navigation pane.

  3. Click the Create Security Group button.

  4. In the Create Security Group dialog box, specify NATSG as the name of the security group, and provide a description. Select the ID of your VPC from the VPC list, and then click Yes, Create.

  5. Select the NATSG security group that you just created. The details pane displays the details for the security group, plus tabs for working with its inbound and outbound rules.

  6. Add rules for inbound traffic using the Inbound Rules tab as follows:

    1. Click Edit.

    2. Click Add Rule, and select HTTP from the Type list. In the Source field, specify the IP address range of your private subnet.

    3. Click Add Rule, and select HTTPS from the Type list. In the Source field, specify the IP address range of your private subnet.

    4. Click Add Rule, and select SSH from the Type list. In the Source field, specify the public IP address range of your network.

    5. Click Save.

    Note

    If you're using the old design of the security groups page, select HTTP from the Create a new rule list, specify the IP address range in the Source field, and then click Add Rule. Repeat for HTTPS and SSH, and then click Apply Rule Changes.

  7. Add rules for outbound traffic using the Outbound Rules tab as follows:

    1. Click Edit.

    2. Click Add Rule, and select HTTP from the Type list. In the Source field, specify 0.0.0.0/0

    3. Click Add Rule, and select HTTPS from the Type list. In the Source field, specify 0.0.0.0/0

    4. Click Save.

    Note

    If you're using the old design of the security groups page, select HTTP from the Create a new rule list, specify the IP address range in the Source field, and then click Add Rule. Repeat for HTTPS, and then click Apply Rule Changes.

For more information about security groups, see Security Groups for Your VPC.

Disabling Source/Destination Checks

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.

You can disable the SrcDestCheck attribute for a NAT instance that's either running or stopped using the console or the command line.

To disable source/destination checking using the console

  1. Open the Amazon EC2 console.

  2. Click Instances in the navigation pane.

  3. Select the NAT instance, click Actions, and then click Change Source/Dest. Check.

  4. For a NAT instance, verify that this attribute is disabled. Otherwise, click Yes, Disable.

To disable source/destination checking using the command line

You can use one of the following commands. For more information about these command line interfaces, see Working with Amazon VPC.

Updating the Main Route Table

Update the main route table as described in the following procedure. By default, the main route table enables the instances in your VPC to communicate with each other. We'll add a route that sends all other subnet traffic to the NAT instance.

To update the main route table

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Route Tables.

  3. Select the main route table for your VPC. The details pane displays tabs for working with its routes, associations, and route propagation.

  4. On the Routes tab, click Edit, specify 0.0.0.0/0 in the Destination box, select the instance ID of the NAT instance from the Target list, and then click Save.

  5. On the Subnet Associations tab, click Edit, and then select the Associate check box for the subnet. Click Save.

For more information about route tables, see Route Tables.