Configure a VPC with Public & Private Subnets and Secure your Network using NAT Gateway

What is NAT Gateway ?

• Consider a scenario where you want an EC2 instances that are in private subnets of a virtual private cloud (VPC) to communicate securely to the internet . The connection may be required to do security updates or package download.
  
• Here NAT Gateway comes into picture. A NAT Gateway is a Network Address Translation (NAT) service that allows an EC2 instances of private subnets connect to the internet , but prevents the internet from initiating a connection with those instances.
  
• The configuration of NAT Gateway requires –
  1. A VPC having atleast two subnets.
  2. An instances in each subnet – atleast one public instance in any one subnet and a private instances in
  another subnet .
  3. A NAT Gateway with an Elastic IP address associated with it inside a subnet having public instance .
  4. A custom Route table with a subnet association of a subnet having private instances.
  5. A route to an internet that will go through the NAT Gateway inside a custom Route table.
  

Now let us see a detailed steps on how to configure a NAT Gateway .

Configure NAT Gateway –

1. From the VPC option in your AWS account , create one VPC with 192.168.10.0/24 CIDR network. ( Refer Create custom VPC in AWS for steps in detail )
   
   

   Figure 1 : VPC with 192.168.10.0/24 network

2. Create 2 subnets – Subnet 1 and Subnet 2 inside the custom VPC created i.e. My-VPC . ( Refer How to launch EC2 Instances inside Custom VPC and SSH into Public and Private Instances for steps in detail )
   
   

   Figure 2 : Two Subnets inside custom VPC

    

   Once subnets are created, create an Internet Gateway and attach it to the custom VPC . Also add the route of Internet (0.0.0.0/0) inside the Route Table that was created for our custom VPC i.e. My-VPC .

3. Create one public instance named Webserver inside Subnet 1 and one private instance named DB_Server inside Subnet 2.
   
   

   Figure 3 : Public Instance created within Subnet 1

    

   

   Figure 4 : Private Instance created within Subnet 2

4. Now, we have to create an Elastic Public IP Address. Go to the Elastic IPs option and click on Allocate Elastic IP address.
   
   

   Figure 5 : Elastic IPs option in AWS

    

   Click on Allocate , an Elastic IP address will be allocated .

   

   Figure 6 : Allocate Elastic IP address

5. Go to the NAT Gateways and click on Create NAT Gateway button to create a NAT Gateway. 
   Select the Subnet name from above two inside which a public instance is created which is Subnet 1 here and assign an Elastic IP address we already created.
   
   

   Figure 7 : NAT Gateway

6. Create a custom Route Table names Custom RT and associate a subnet having private instance i.e. DB_Server . So now , Webserver is associated with the main route table and DB_Server with Custom RT.
   
   

   Figure 8 : Custom Route Table with private subnet association

   
   
   
   

   Figure 9 : Edit Subnet Association

    

    
7. Add an internet route through NAT Gateway inside custom Route Table.
   
   

   Figure 10 : Internet route through NAT Gateway

The NAT Gateway setup is completed , now let us first connect to the instances and then test the internet connectivity.

• Connect to the public instance Webserver using SSH –
  
  

  Figure 11 : Connect to Webserver

• Now, to connect to the private instance which is in another subnet , first we have to copy the key associated with it inside the Subnet 1 –
  
  

  Figure 12 : copy key inside public EC2 Instance

• Access DB_server using private IP of instance and the key pair –
  
  
  

  Figure 13 : Connect to DB_Server

• At last , we have to test the internet connectivity on DB_Server.  We can do this by running the ping command for a website that has ICMP enabled.
  For eg – ping ietf.org
  
  
  

  Figure 14 : Internet Connectivity at private instance

  In this way we can access the internet on private subnets as well with a network security using NAT Gateway.

  Hope you like the article . If this is worth reading atleast once , please do like and share…!!!