AWS EC2 instance in private subnet unable to connect to internet via NAT gateway

0
votes

I have two EC2 instances, one on public subnet(10.1.1.0/24) and one on private subnet (10.1.2.0/24) EC2 instance in public subnet works fine with internet connectivity and configured services.

There is a NAT Gateway configured in the public subnet 10.1.1.0/24 with Elastic IP. Default route on private subnet is [0.0.0.0/0 --> NAT Gateway in public subnet]. I have a custom network ACL on private subnet, what I observed is when source and destination for inbound/outbound rules is set to 10.1.1.0/24 (public subnet) external connectivity breaks, but ssh works. Only when source/destination are set to 'any' does internet connectivity restore. I am trying to understand what exact source/destination should be used in network ACLs on private subnet for internet connectivity to work.

1
amazon-web-servicesamazon-ec2aws-nat-gateway
Have you allowed internet traffic (0.0.0.0/0) in your NACL? If you don't allow it, there won't be any internet traffic allowed.Marcin
WHY do you have a custom NACL configured? In general, it is best to leave the NACLs at their default "allow all" setting, unless there is a particular need (eg creating a DMZ).John Rotenstein

1 Answers

0
votes

To allow instance from private subnet access internet using NAT gateway, your NACLs or SG must allow internet traffic. The NAT does not change the internet traffic into private VPC traffic. So if you remove 0.0.0.0/0 the internet connectivity stops.

This is explained in AWS docs on Instances cannot access the internet:

Ensure that the network ACLs that are associated with the private subnet and public subnets do not have rules that block inbound or outbound internet traffic.

Therefore, you must allow 0.0.0.0/0 (or some IP range if you want only part of internet traffic) in your NACL and SG for the instances in private subnet.

As a side note, generally NACLs are not modified, and default settings are usually used. Instead security groups are the first choice of controlling access to and from the instances.