Internet access from Private Subnets through NAT instance in AWS

0
votes

I'm trying to access the internet from the Private Subnet instances through the NAT instance. I have followed the steps in the below URL.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

  1. Created 2 Subnets (Public and Private)
  2. Attached the Internet Gateway to the VPC
  3. Main Route table includes the Private Subnet and Routes through NAT Instance ID (Destination 0.0.0.0/0)
  4. Custom Route table includes the Public Subnet and Routes through Internet Gateway (Destination 0.0.0.0/0)
  5. NAT Security Group have Inbound from 22, 80, 443, ALL ICMP (All from Public IP range CIDR 10.0.0.0/16), Outbound to 22, 80, 443, ALL ICMP (22 to Private IP Instance, rest to CIDR 0.0.0.0/0)
  6. Disabled Source/Destination Check on NAT Instance

With all the above steps, I can able to access the internet on the NAT Instance. But not able to access the internet from the Private IP Instances.

From NAT Instance

    $ ping ietf.org
    PING ietf.org (4.31.198.44) 56(84) bytes of data.
    64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=1 ttl=49 time=23.8 ms
    64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=2 ttl=49 time=23.9 ms
    64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=3 ttl=49 time=23.9 ms
    ^C
    --- ietf.org ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2003ms
    rtt min/avg/max/mdev = 23.888/23.940/23.976/0.037 ms

From Private IP Instances

$ ping ietf.org
PING ietf.org (4.31.198.44) 56(84) bytes of data.
^C
--- ietf.org ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms

I can able to ping the NAT instance from the Private IP Instance.

I have checked all the below steps provided in the above URL. Everything looks good.

If the ping command fails, check the following information:

Check that your NAT instance's security group rules allow inbound ICMP traffic from your private subnet. If not, your NAT instance cannot receive the ping command from your private instance.
Check that you've configured your route tables correctly. For more information, see Updating the Main Route Table.
Ensure that you've disabled source/destination checking for your NAT instance. For more information, see Disabling Source/Destination Checks.
Ensure that you are pinging a website that has ICMP enabled. If not, you will not receive reply packets. To test this, perform the same ping command from the command line terminal on your own computer.

Some help will be appreciated. Thanks.

2
amazon-web-servicesnetworkingnatsubnet
Looks good! How did you create the NAT instance -- was it via User Data? Also, I notice that the Private instance is resolving the DNS name for ietf.org, so this suggests you have Internet connectivity. Can you try something other than a Ping (eg try curl ietf.org)?John Rotenstein

2 Answers

0
votes

As per your given information all stuffing of your architecture setup seems perfect only mistake which i found in security group of NAT instant.

NAT instant configuration as per aws recommendation:

Inbound:

80, 443 -- for Private IP Instance/Private ip address Rang of your private subnet

22--Public IP address range of your home network

Outbound:

80,443-- 0.0.0.0/0

Try this it will work

Ref : http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

Kindly find NATSG: Recommended Rules portion on above document.

0
votes

Every seems fine but only thing you have missed is Subnet Association

  • In NAT Routing table
  • Subnet Association Tab
  • Add the Private Subnet to that then it will works
  • Then you will you get internet access to your instance in Private Subnet.

If you require more information about subnet associations refer below URL:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html