How to connect to outside world from amazon vpc?

It appears that the only way to get outside from instances that don't have Elastic IP is:

• add a NAT (Launch an extra m1.small instance from ami-vpc-nat-beta) and assign EIP to it
• Create an extra subnet which will be "private"
• Move non-EIP-instances to that private subnet
• Modify route tables: 0.0.0.0/0 from the private subnet should go to NAT

So, just adding NAT is not enough. Instances should be stopped and moved to another IP from another subnet.

The docs tell you should add a NAT Instance

Q. How do instances without EIPs access the Internet?

Instances without EIPs can access the Internet in one of two ways Instances without EIPs can route their traffic through a NAT instance to access the Internet. These instances use the EIP of the NAT instance to traverse the Internet. The NAT instance allows outbound communication but doesn’t enable machines on the Internet to initiate a connection to the privately addressed machines using NAT, and

http://aws.amazon.com/vpc/faqs/

You can find detailed instructions on how to setup a nat instance here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

Or create a NAT Instance within the public VPC and add a static route to that NAT instance

route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.0.0.5 eth0

where 10.0.0.5 is your nat instance, just make sure your the security group which contains the NAT instance can accept internal traffic from the boxes you require internet access

You can do it on any instance in your VPC, that has EIP. There few instructions that i described here should help you. BTW: don't forget disable source/dest. check

Instances without EIPs can access the Internet in one of two ways Instances without EIPs can route their traffic through a NAT instance to access the Internet. These instances use the EIP of the NAT instance to traverse the Internet. The NAT instance allows outbound communication but doesn’t enable machines on the Internet to initiate a connection to the privately addressed machines using NAT.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

Did you check the Network ACL on the subnet?

Cross check the security groups for rules.

The route table looks fine. It should work.

All that needs to be done to fix this problem, is to disable "source/destination check" for the instance you have configured to do NAT. This can be done in the AWS console, under "Instance Actions".

Reference

This works for me with :

• VPC subnet 172.20.0.0/16
• EC2 "nat" gateway 172.20.10.10 with EIP

To do :

• Set disabled source/dest. check on your "nat gw"
• create a new "nat-sub" subnet ex: 172.20.222.0/24
• modify route 0.0.0.0/0 to 172.20.10.10 (my nat gw) for "nat-sub"
• create a EC2 using "nat-sub"
• on your nat gateway as root, try :

root@gw:~# sysctl -q -w net.ipv4.ip_forward=1 net.ipv4.conf.eth0.send_redirects=0

root@gw:~# iptables -t nat -C POSTROUTING -o eth0 -s 172.20.222.0/24 -j MASQUERADE 2> /dev/null || iptables -t nat -A POSTROUTING -o eth0 -s 172.20.222.0/24 -j MASQUERADE

if it works, add this 2 lines in /etc/rc.local

Security Groups -> Outbound

*   ALL Traffic ALL     ALL     0.0.0.0/0   Allow

Please allow Outbound, if you want to connect to external servers like google.com or even want to update- sudo apt-get update

You can allow the outbound using AWS front-end goto Security Groups -> Outbound

Make sure you select the right group for your AWS instance

They have a relatively new product called NAT gateway that does exactly this, creates a managed NAT instance at the edge of your pub/private subnets.