NAT Server on Amazon EC2
TABLE OF CONTENT
1. Overview2. Architectural Diagram 3. Steps to Implement NAT server4. Why not just place everything on a subnet public? Conclusion6. CloudThat 7. FAQsOverview
Modern multi-tier architectures require some applications to be able to connect to the internet in order to provide services to users. However, backend services like databases do not need to have internet access. Inbound traffic is also not permitted. These backend services are located in the private subnet. Internet-facing applications are identified within the public subnet.
NAT server provides functionality of NAT Gateway by using our own AMI instance that is running on EC2 within the public subnet. Access to the private subnet can be enabled from the internet by restricting access. NAT instances are cheaper than dedicated NAT Gateways.
Today, we will show you how to give internet access to the private subnet database server using the NAT instance.
Steps to Install NAT Server
Step-1 – Create a custom VPC
Step 2 – Create public and private subnets
Step 3 – Create public and private route tables
Step 4 – Create an Internet Gateway, attach it to the Demo VPC
Step 5 – There is no Internet access on the private route
Step 6 – Create a DB or private instance that you don’t want to have direct internet access.
Step 7 – Create a Network Address Server (NAT) from Community AMI in AWS
Step 8 – Make sure that HTTP and HTTPS ports are open to the Internet
Step 9 – Make changes to source and destination.
Step 10 – Click the checkmark to stop the source/destination check
Step 11 – Now, add the instance id to the private route table in order to access the internet via the NAT server.
Step 12 – Now, SSH into your private instance using Bastion Host to attempt to ping Google.com
Why not just place everything on a subnet public?
This is something we hear often and have considered, especially in non-critical situations. It would solve the problem and we would no more need a NAT Gateway or NAT instance. Each instance or service would have their own public IP address. Two key reasons have led us to reject it.
Reason1: Security should not be a one-way street. We don’t want one setup error to expose the resources overnight. The ideal Security Group and NACL would do the same thing. However, it is important to keep these resources separate from the internet, regardless of what is put up in the SG/NACL. Furthermore, our acceptance settings often include nearly identical data to production environments so we are reluctant to accept a lower level of security.
Reason 2: Terraform is used to create our environments. It is much faster and more consistent than migrating all resources into public subnets. Instead, you can just change out a Gateway for a specific NAT instance.
We have seen the benefits of NAT Gateways. It offers outbound traffic for private subnet machine/instances. This is required for downloading packages and installing patches.
Another benefit of using NAT Gateway is its simplicity in adding or removing routes. This is dependent on our needs.
CloudThat is also an official AWS (Amazon Web Services), Advanced Consulting Partner and Training Partner, and Microsoft gold Partner. We help people learn about the cloud and help them achieve higher goals using the best cloud computing practices and expertise. Our mission is to create a strong cloud computing ecosystem by sharing knowledge about the technological intricacies of the cloud space. We provide information for all stakeholders in the cloud computing industry through our blogs, webinars and case studies.
Drop a question if you have questions about the NAT server, NAT i