Aws NAT Instance & NAT Gateway
- Lets create a vpc with 4 subnets
- web and mgmt public
- app & db private
- Create one ec2 instance in public subnet (web) and check the whether you are able to access internet
- From ec2 instance in web subnet we are able to ping internet
- From ec2 instance in web subnet we are able to ping internet
- Create one ec2 instance in private subnet (app) and check the whether you are able to access internet (use web ec2 instance as bastion host)
- ec2 instance in private subnet is unable to connect to internet
- ec2 instance in private subnet is unable to connect to internet
- In many cases we would not want machines in private subnet connected from internet but we would want these machine to connect to internet.
- How can i enable internet to machines in private subnet without making them public?
- To understand this lets understand our home internet connection.
- So in AWS, if we can create NAT Server as mentioned in the above image, machines in private subnet can connect to internet. AWS gives us two options
- NAT-instance:
- Create an ec2 instance with NAT software in it
- Assign static public ip address (Elastic IP Address)
- Change the Route table rules of private router to forward 0.0.0.0/0 to NAT-instance
- Disadvantages:
- Since we are creating ec2 instance, os maintenance should be managed by us
- If this server fails troubleshooting or recreating is our responsibility
- NAT-gateway
- NAT as a service
- AWS will create and manage NAT.
- We just need to manage routes in our private router.
- NAT-instance:
- Now lets create a NAT gateway in our public subnet and modify the private route table routes
- Now lets verify if the machine in private subnet is able to connect to internet or not
- Note: Nat Gateway is chargable, so delete nat-gateway and release elastic ip address
Multi-Network Scenarios
- Scenario 1: Both Networks in AWS
- Lets assume we have a web server in a vpc and app server in a different vpc
- For the application to work web server should communicate with app server.
- We don’t public connectivity b/w app and web server. How can we establish private connectivity b/w two servers in two different vpc’s
- Solution: VPC Peering Connection
- Scenario 2: One Network on premise and VPC
- Your application has a database which is on-premise
- Webserver is running in AWS VPC, How can i establish a private connectivity b/w webserver and app server
- Solution: AWS VPN Connections (Point to site and Site to Site)/Direct Connect