I'm trying to access the internet from the Private Subnet instances through the NAT instance. I have followed the steps in the below URL.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
- Created 2 Subnets (Public and Private)
- Attached the Internet Gateway to the VPC
- Main Route table includes the Private Subnet and Routes through NAT Instance ID (Destination 0.0.0.0/0)
- Custom Route table includes the Public Subnet and Routes through Internet Gateway (Destination 0.0.0.0/0)
- NAT Security Group have Inbound from 22, 80, 443, ALL ICMP (All from Public IP range CIDR 10.0.0.0/16), Outbound to 22, 80, 443, ALL ICMP (22 to Private IP Instance, rest to CIDR 0.0.0.0/0)
- Disabled Source/Destination Check on NAT Instance
With all the above steps, I can able to access the internet on the NAT Instance. But not able to access the internet from the Private IP Instances.
From NAT Instance
$ ping ietf.org
PING ietf.org (4.31.198.44) 56(84) bytes of data.
64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=1 ttl=49 time=23.8 ms
64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=2 ttl=49 time=23.9 ms
64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=3 ttl=49 time=23.9 ms
^C
--- ietf.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 23.888/23.940/23.976/0.037 ms
From Private IP Instances
$ ping ietf.org
PING ietf.org (4.31.198.44) 56(84) bytes of data.
^C
--- ietf.org ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms
I can able to ping the NAT instance from the Private IP Instance.
I have checked all the below steps provided in the above URL. Everything looks good.
If the ping command fails, check the following information:
Check that your NAT instance's security group rules allow inbound ICMP traffic from your private subnet. If not, your NAT instance cannot receive the ping command from your private instance.
Check that you've configured your route tables correctly. For more information, see Updating the Main Route Table.
Ensure that you've disabled source/destination checking for your NAT instance. For more information, see Disabling Source/Destination Checks.
Ensure that you are pinging a website that has ICMP enabled. If not, you will not receive reply packets. To test this, perform the same ping command from the command line terminal on your own computer.
Some help will be appreciated. Thanks.
ietf.org
, so this suggests you have Internet connectivity. Can you try something other than a Ping (eg trycurl ietf.org
)? – John Rotenstein