To Access internet from Private subnet. We have two
methods
a) By using NAT Gateway
b)
By
Using NAT Instance
By Using NAT Instance
1) Launch the NAT Instance using ( AMI to be used : Amazon NAT AMI ) in public Subnet
2) Launch the instance in private subnet
3) Assign EIP to the NAT Instance
4) Disable Source/Destination Check for the instance (Select Instance -> Actions -> Networking -> Uncheck Source/Destination check )
5) Update the IPTables of NAT table like below (i.e)
POSTROUTING to MASQUERADE
# iptables -t nat -A POSTROUTING -o eth0 -s <privae subnet> -j MASQUERADE
Modify the Security Group of NAT instance inbound rule
to all or the port from PVT subnet
Modify the Route table of the PVT subnet for 0.0.0.0/0
to point to NAT Instance
cat <<EOF | sudo tee
/etc/sysctl.d/custom_nat_tuning.conf
# for large instance types, allow keeping track of
more
# connections (requires enough RAM)
net.ipv4.netfilter.ip_conntrack_max=262144
EOF
sudo sysctl -p /etc/sysctl.d/custom_nat_tuning.con
/usr/local/sbin/configure-pat.sh
By Using NAT Gateway
1) Launch the NAT Gateway in public Subnet.
2) Launch the instance in private subnet
3) Assign EIP to the NAT Gateway
4) Modify the Route table of the PVT subnet for 0.0.0.0/0 to point to NAT Gateway
Displayed error
|
Reason
|
Remedial steps
|
Subnet has insufficient free addresses to create this NAT gateway
|
The subnet you specified does not have any free private IP addresses. The
NAT gateway requires a network interface with a private IP address allocated
from the subnet's range.
|
You can check how many IP addresses are available in your subnet by going
to the Subnets page in the Amazon VPC console, and viewing
the Available IPs field in the details pane for your subnet.
To create free IP addresses in your subnet, you can delete unused network
interfaces, or terminate instances that you do not require.
|
Network vpc-xxxxxxxx has no Internet gateway attached
|
A NAT gateway must be created in a VPC with an Internet gateway.
|
Create and attach an Internet gateway to your VPC. For more information,
see Attaching an Internet Gateway.
|
Elastic IP address eipalloc-xxxxxxxxcould not be associated
with this NAT gateway
|
The Elastic IP address that you specified does not exist or could not be
found.
|
Check the allocation ID of the Elastic IP address to ensure that you
entered it correctly. Ensure that you have specified an Elastic IP address
that's in the same region in which you're creating the NAT gateway.
|
Elastic IP address eipalloc-xxxxxxxxis already associated
|
The Elastic IP address that you specified is already associated with
another resource, and cannot be associated with the NAT gateway.
|
You can check which resource is associated with the Elastic IP address by
going to the Elastic IPs page in the Amazon VPC console, and
viewing the values specified for the instance ID or network interface ID. If
you do not require the Elastic IP address for that resource, you can
disassociate it. Alternatively, allocate a new Elastic IP address to your
account. For more
information, see Working
with Elastic IP Addresses.
|
Network interface eni-xxxxxxxx, created and used internally
by this NAT gateway is in an invalid state. Please try again.
|
There was a problem creating or using the network interface for the NAT
gateway.
|
You cannot fix this error. Try creating a NAT gateway again.
|
Comparison of NAT Instances and NAT Gateways
The following is a high-level summary of the differences between NAT instances and NAT gateways.
| Attribute | NAT gateway | NAT instance |
|---|---|---|
| Availability | Highly available. NAT gateways in each Availability Zone are implemented with redundancy. Create a NAT gateway in each Availability Zone to ensure zone-independent architecture. | Use a script to manage failover between instances. |
| Bandwidth | Supports bursts of up to 10Gbps. | Depends on the bandwidth of the instance type. |
| Maintenance | Managed by AWS.You do not need to perform any maintenance. | Managed by you, for example, by installing software updates or operating system patches on the instance. |
| Performance | Software is optimized for handling NAT traffic. | A generic Amazon Linux AMI that's configured to perform NAT. |
| Cost | Charged depending on the number of NAT gateways you use, duration of usage, and amount of data that you send through the NAT gateways. | Charged depending on the number of NAT instances that you use, duration of usage, and instance type and size. |
| Type and size | Uniform offering; you don’t need to decide on the type or size. | Choose a suitable instance type and size, according to your predicted workload. |
| Public IP addresses | Choose the Elastic IP address to associate with a NAT gateway at creation. | Use an Elastic IP address or a public IP address with a NAT instance. You can change the public IP address at any time by associating a new Elastic IP address with the instance. |
| Private IP addresses | Automatically selected from the subnet's IP address range when you create the gateway. | Assign a specific private IP address from the subnet's IP address range when you launch the instance. |
| Security groups | Cannot be associated with a NAT gateway. You can associate security groups with your resources behind the NAT gateway to control inbound and outbound traffic. | Associate with your NAT instance and the resources behind your NAT instance to control inbound and outbound traffic. |
| Network ACLs | Use a network ACL to control the traffic to and from the subnet in which your NAT gateway resides. | Use a network ACL to control the traffic to and from the subnet in which your NAT instance resides. |
| Flow logs | Use flow logs to capture the traffic. | Use flow logs to capture the traffic. |
| Port forwarding | Not supported. | Manually customize the configuration to support port forwarding. |
| Bastion servers | Not supported. | Use as a bastion server. |
| Traffic metrics | Not supported. | View CloudWatch metrics. |
| Timeout behavior | When a connection times out, a NAT gateway returns an RST packet to any resources behind the NAT gateway that attempt to continue the connection (it does not send a FIN packet). | When a connection times out, a NAT instance sends a FIN packet to resources behind the NAT instance to close the connection. |
| IP fragmentation |
Supports forwarding of IP fragmented packets for the UDP protocol.
Does not support fragmentation for the TCP and ICMP protocols. Fragmented packets for these protocols will get dropped.
| Supports reassembly of IP fragmented packets for the UDP, TCP, and ICMP protocols. |
Really nice blog post.provided a helpful information.I hope that you will post more
ReplyDeleteupdates like this
AWS Online Course
Thanks for sharing complete information about AWS storage service and AWS disaster recovery. I found this blog content very helpful.
ReplyDelete