4

I've setup a VPC on AWS and I'm trying to make one of my subnets private. I have:

  1. Created my private subnet.
  2. Created my NAT Gateway and associated my subnet to it.
  3. Created a Route Table dest: 0.0.0.0/0 target: NAT Gateway
  4. Created an Instance in my private subnet.

I can get to the instance in #4 by going to a different instance with a public IP then SSHing to its private IP. Once on the instance it has no internet connectivity.

Am I expected to update the route tables on the instance anything?

Improve this question
2
  • Can you show your routing table for the private subnet? Commented Dec 27, 2015 at 19:38
  • 1
    AWS should really provide some audit / reporting tool, to check requirements. Here, NAT Gateway in a no public subnet. Commented Aug 31, 2016 at 21:13

7 Answers 7

Reset to default
11

Turns out I was creating my NAT Gateway in my private subnet; should have been done in my public subnet. When I was creating it I assumed the subnet I was providing was the one I wanted to be NATed not where to create it.

Re-reading the docs here helped discover my error:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html#nat-gateway-creating

thx.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

7

Had an issue with my NAT instance as well.

It ends up I didn't set up the security group of the NAT instance correctly. My NAT instance security group was allowing port 22 only.

Once I add port 80 (HTTP) and port 443 (HTTPS) to the security group, my instance in private subnet can connect to the internet.

Some points to be noted when creating a NAT instance:

  1. The NAT instance needs to be in the public subnet.
  2. The source and destination check of the NAT instance must be disabled.
  3. At least allow port 80/443 on the security group of the NAT instance.
  4. Associate outbound route of private subnet to NAT instance in route table.
Improve this answer

Comments

2

In my case it wasn't working because I had the NAT in the private subnet instead of the public one.

Improve this answer

Comments

0

Did you follow all the instructions here? In particular make sure you disable Source/Destination checks on the NAT instance.

Alternatively, AWS now has Managed NAT Gateways.

Improve this answer

2 Comments

OP says they're using the NAT gateway.
The problem was between the keyboard and chair. I was creating my NAT Gateway inside my private subnet when it should have been in my public subnet. Thanks for the link above; I re-read it and that's where I found my answer.
0

In my case, there was a misconfiguration of private instance security group: I limited access to internet by CIDR block of public subnet, when it should be enabled to access everything.

Improve this answer

Comments

0

I had same problem resolved by setting outbound rules on ec2 instance inside private subnet.

Outbound rules in route table

Improve this answer

Comments

0

You have to ensure these rules.

  1. NAT Gateway are in the Public Subnet, and set to Public Connectivity Type

  2. Route Table on Private Subnet are set to Destination: 0.0.0.0/0 → Target: NAT Gateway

  3. Network ACL on both Private and Public Subnet are Set Allow for connection to 0.0.0.0/0 on both Inbound and Outbound Traffic

  4. Ensure Private Instance security group's are set Outbound to 0.0.0.0/0 on Outbound traffic or just set to specific Port and Protocol

I found that Point 3 is the solution to the similar problem that you have.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.