Example: Centralized outbound routing to the internet - Amazon VPC

Example: Centralized outbound routing to the internet

You can configure a transit gateway to route outbound internet traffic from a VPC without an internet gateway to a VPC that contains a NAT gateway and an internet gateway.

Overview

The following diagram shows the key components of the configuration for this scenario. You have applications in VPC A and VPC B that need outbound only internet access. You configure VPC C with a public NAT gateway and an internet gateway, and a private subnet for the VPC attachment. Connect all VPCs to a transit gateway. Configure routing so that outbound internet traffic from VPC A and VPC B traverses the transit gateway to VPC C. The NAT gateway in VPC C routes the traffic to the internet gateway.


				A transit gateway with three VPC attachments.

Resources

Create the following resources for this scenario:

  • Three VPCs with IP address ranges that do not overlap. For more information, see Create a VPC in the Amazon VPC User Guide.

  • VPC A and VPC B each have private subnets with EC2 instances.

  • VPC C has the following:

    • An internet gateway attached to the VPC. For more information, see Create and attach an internet gateway in the Amazon VPC User Guide.

    • A public subnet with a NAT gateway. For more information, see Create a NAT gateway in the Amazon VPC User Guide.

    • A private subnet for the transit gateway attachment. The private subnet should be in the same Availability Zone as the public subnet.

  • One transit gateway. For more information, see Create a transit gateway.

  • Three VPC attachments on the transit gateway. The CIDR blocks for each VPC propagate to the transit gateway route table. For more information, see Create a transit gateway attachment to a VPC. For VPC C, you must create the attachment using the private subnet. If you create the attachment using the public subnet, the instance traffic is routed to the internet gateway, but the internet gateway drops the traffic because the instances don't have public IP addresses. By placing the attachment in the private subnet, the traffic is routed to the NAT gateway, and the NAT gateway sends the traffic to the internet gateway using its Elastic IP address as the source IP address.

Routing

There are route tables for each VPC and a route table for the transit gateway.

Route table for VPC A

The following is an example route table. The first entry enables instances in the VPC to communicate with each other. The second entry routes all other IPv4 subnet traffic to the transit gateway.

Destination Target

VPC A CIDR

local

0.0.0.0/0

transit-gateway-id

Route table for VPC B

The following is an example route table. The first entry enables the instances in the VPC to communicate with each other. The second entry routes all other IPv4 subnet traffic to the transit gateway.

Destination Target

VPC B CIDR

local

0.0.0.0/0

transit-gateway-id

Route tables for VPC C

Configure the subnet with the NAT gateway as a public subnet by adding a route to the internet gateway. Leave the other subnet as a private subnet.

The following is an example route table for the public subnet. The first entry enables instances in the VPC to communicate with each other. The second and third entries route traffic for VPC A and VPC B to the transit gateway. The remaining entry routes all other IPv4 subnet traffic to the internet gateway.

Destination Target
VPC C CIDR local
VPC A CIDR transit-gateway-id
VPC B CIDR transit-gateway-id
0.0.0.0/0 internet-gateway-id

The following is an example route table for the private subnet. The first entry enables instances in the VPC to communicate with each other. The second entry routes all other IPv4 subnet traffic to the NAT gateway.

Destination Target
VPC C CIDR local
0.0.0.0/0 nat-gateway-id

Transit gateway route table

The following is an example of the transit gateway route table. The CIDR blocks for each VPC propagate to the transit gateway route table. The static route sends outbound internet traffic to VPC C. You can optionally prevent inter-VPC communication by adding a blackhole route for each VPC CIDR.

CIDR Attachment Route type

VPC A CIDR

Attachment for VPC A

propagated

VPC B CIDR

Attachment for VPC B

propagated

VPC C CIDR

Attachment for VPC C

propagated

0.0.0.0/0

Attachment for VPC C

static