Routing Outbound Traffic Through NAT Gateways
Modifying Route Tables for NAT Gateways
To enhance your network monitoring strategy, you must ensure outbound traffic is routed through a NAT gateway. Just because you create a NAT gateway does not mean that EC2 instances have the ability to run outbound traffic through the Internet. You need to define a route that allows EC2 instances on a private subnet to talk to NAT gateways and then go out to the Internet. This is where route tables comes into play. AWS defines route table for your VPC as, “A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.”
Once you’ve provisioned your NAT gateways in the VPC Dashboard, use the following steps to modify the routes table:
- In the VPC Dashboard, open Route Tables.
- Select route table associated with NAT gateway and open the Routes tab.
- Now, you can select Edit Routes then Add Routes.
- Enter 0.0.0.0/0 for the Destination and select a specific NAT gateway as the Target.
- Select Save Routes and now you’ve created you’ve created a route for EC2 instances in that Availability Zone to be able to talk out to the Internet.
To learn more, visit the AWS user guide for NAT gateways.
Hello, and welcome to today’s demo! Today, we’re going to be talking about EC2 instances that live on private subnets and how they get out to the Internet. If you have EC2 instances that live in a private subnet and you want to have the ability to access the Internet, you have to proxy that traffic through a system that uses NATs to allow them to talk out to the Internet. Previously, there was something called a “NAT instance” that was an actual AMI image that was created by Amazon that customers could provision that will allow for their EC2 instances that are in private subnets to be able to talk to that NAT instance out to the Internet. However, Amazon (as you can see on my screen) has deprecated the use of NAT instances. Now, Amazon recommends that clients use a NAT gateway. The bulk of this video is going to talk about NAT gateways, what they do, and how to provision them.
Let’s start off with what a NAT gateway is. A NAT gateway uses network address translation (NAT) to enable instances in private subnets to connect to the Internet or other AWS services, but it prevents the Internet from initiating a connection with those instances. Basically, it allows the instances to talk out but no Internet-initiated connections can talk in.
Now, let’s talk about some caveats that come with NAT gateways. The first caveat is that NAT gateways do not support IPv6. The second caveat is that NAT gateways are tied to an Availability Zone. What does that mean? If you have a single NAT gateway in an Availability Zone and you have EC2 instances in multiple Availability Zones that are using that NAT gateway and that Availability Zone goes down, those EC2 instances in the other Availability Zones will lose that ability to talk to the Internet. When you’re architecting your NAT Gateway infrastructure, it’s important that for any Availability Zone where you have those EC2 instances in private subnets, you need to have a NAT gateway for that Availability Zone.
Now that we have the basics out of the way, let’s go look at how we provision NAT Gateway and some important pieces of information. Once you log into your AWS Management Console, you’re going to search for “VPC,” then scroll all the way down to the “NAT Gateways.” As you can see, we already have a couple of NAT gateways provisioned, but let’s go through the provisioning steps. You’re going to hit “Create NAT Gateway” and you’re going to give your NAT gateway a specific name. Call it whatever you want, just make sure it’s a unique identifier. The next piece of information is really important. You’re going to select a subnet. As you can see, each subnet is tied to an Availability Zone. You want to be sure, like we said before, that you have a NAT gateway for each Availability Zone. When you’re creating your NAT Gateway infrastructure, pay close attention to what Availability Zone the NAT gateway is being created in. Then, you select the “Elastic IP.” If you have an available Elastic IP that is not being used, you can just select it from the dropdown box. If not, just hit “Allocate Elastic IP” and one will be allocated for you. Then, you’ll add a tag and create your NAT gateway. It will take a few minutes for the NAT gateway to be provisioned, and then you’ll have NAT gateways like you see here.
Now that we have some NAT gateways provisioned, let’s go look at some important information. If you scroll over to the right, we’ll look at a few things. The first thing is the VPC. We know the VPCs that the NAT gateways are associated with. The second thing is the subnet. Let’s talk about why this is important. The subnet is going to define which Availability Zone that NAT gateway is associated with. Let’s look at a couple.
If we go over to “Subnets” and look at our list of subnets, then scroll over to the “Availability Zone” column, we see that each of our subnets is in a different Availability Zone, where we assume our infrastructure is. So, we have that NAT gateway for each Availability Zone as we talked about.
Going back to the “NAT Gateways” tab, let’s look at the “VPC” column. Just because you created the NAT gateway does not mean that the EC2 instances have the ability to talk out to the Internet. The next critical piece is the route table. You have to be able to define a route that allows that EC2 instance on a private subnet to talk to that NAT gateway and then go out to the Internet. So, what you need to do is add the route into the route table and make sure that those instances in those private subnets can get out to the Internet. Let’s go look at the “Route Tables” tab. We have a route table here that’s specifically for the NAT gateway. Select that, then go to “Routes” and “Edit Routes.” Let’s say “0.0.0.0/0” for the destination and select a specific NAT Gateway for the target. When you save your route, you’ve created a route for instances in that Availability Zone to be able to talk out to the Internet.
As we saw, there’s a couple steps when creating those NAT gateways and there’s a couple of pieces of information that you need to make sure you are hitting. Making sure you have a NAT gateway for each Availability Zone is critical, making sure that you have the appropriate routes table and routes created is critical, and making sure that you have the associations correct is critical. Once you have that, you’ll be able to let your EC2 instances on private subnets talk out to the Internet.