Within the VPC (logical partition of the AWS public cloud), you can define your desired IP address range, create subnets, configure route tables, and so forth.

You can also connect tot the VPC using a VPG (Virtual Private Gateway).  You can use the VPG  to connect from existing on-premises network using a hardware Virtual Private Network (VPN) connection.

The Challenge

A network challenge arises when EC2 instances in a private VPC subnet need to connect to the public Internet.

Since the subnet is private, the IP addresses assigned to the instances are not publicly accessible.   This is where NATs help out  – a NAT can map the private IP address to a public address on the way out – and  map the public IP address to the private address on the way back.

Step 1 –Create an AWS Managed NAT Gateway

Performing this translation at scale can be challenging. In order to simplify this task, AWS offers a Managed NAT Gateway.

Each NAT gateway that you create can handle up to 10 Gbps of bursty TCP, UDP, and ICMP traffic, and is managed by Amazon. You control the public IP address by assigning an Elastic IP Address when you create the gateway.

vpc_create_nat

Step 2 – Edit your Routing table to use the NAT Gateway

You need to now edit your VPC’s route tables to send traffic destined for the Internet to the NAT gateway.

The gateway’s internal (private) IP address will be chosen automatically, and will be on the subnet associated with the gateway. Here’s a sample route table:

 

nat_route_table

What about NAT Instances?

NAT Instances are different from NAT Gateways – and can be used to accomplish the same thing. A NAT Instance is a full blown EC2 instance – and as such can leverage all AWS constructs (Security Groups, Cloudwatch, port forwarding etc..).  However, they each have their strengths and weaknesses.

Summary

Your home Wireless Network is a very basic example of how NATting works.  Your Cable router is basically a NAT router with single public IP on its external interface and several  private IPs on the internal interface.

AWS offers a couple of different options for providing NATting from your internal VPC subnets to external internet IPs. NAT Gateways and NAT Instances can both be used to provide this Private IN—>Public OUT routing.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin