Exam Objective
The topic “NAT Gateway” focuses on the Design and Implementation AWS Networks, as highlighted in the AWS Blueprint exam guide.
https://d1.awsstatic.com/training-and-certification/docs-advnetworking-spec/AWS_Certified_Advanced_Networking_Blueprint.pdf
What is NAT Gateway?
This appliance connects instances in your private network to the internet. Instead of exposing private instances in the private network directly via the Internet gateway all traffic can be routed through the NAT gateway.
You can now also use the NAT instance for traffic driving from private instances. The following benefits can be obtained by using the NAT gateway instead of NAT instances:
1) High availability – NAT gateways are installed in each Availability Zone with redundancy. It is therefore possible to ensure that it is always up and running. The NAT instance also comes with the extra maintenance overhead that ensures that the NAT instance is always available.
2) Bandwidth – The NAT gateway supports bursts up to 10 Gbps by default. This will depend on the Instance type.
3) Maintenance – AWS handles all maintenance on the NAT gateway. Compared to this, if you had a NAT instance you would need all the maintenance.
A few reasons you might want to use a NAT instance include situations where you would like
1) The NAT instance can also be a Bastion host
2) To allow the NAT instance also to provide port forwarding
[divider /]
[divider /]
Implementation of NAT Gateway
Step 1. First, let’s make sure we have a custom VPNPC for this exercise. If you don’t already have one, create one.
In our example, we created a Custom VPC with a CIDR Block of 10.0.0.0/16
Step 2: Next, let’s make sure we have created 2 subnets within this VPC. One will be a public and one will be private subnets.
Below is a snapshot of the private network
Below is the definition for the public subnet
Step 3: We will also make sure that we create a custom routetable as shown below and attach it the Public Subnet.
Below will be the Main route table, which will be attached the VPC or Private subnet
Step 4: Next, let’s define 2 EC2 instances. One in the private subnet, the other in public.
We will use the AMI Type of Ubuntu and the Instance type of t2.micro.
These are the servers in their up-and-running state.
Make sure the Security Group is set up to allow incoming requests from both the public server or the NAT gateway for the Private server.
We will mention the private IP address of the public server for internal SSH and the privateIP of the NAT gateway to Internet access.
Step 5) Next, we need to create a NAT gateway
Navigate to the VPC section, and create the NAT gateway.
Select the Subnet, which is the public subnet, in the definition. You can create an Elastic IP by clicking this screen if you don’t already have one.
Initially, the NAT gateway will remain in the pending status while it is provisioned.
Once the NAT gateway is provisioned, it will be in an available state.
Step 6: Now modify the Route tables to make sure that the Route in main route table contains a route via NAT gateway.
Step 7: Now let’s connect the server in the public network. Make sure the pem key file has been copied to the server in order to connect to the private server via the public server.
Also, make sure that the key pair has the proper permissions.
Use the following command to connect to the private server using the public server.
ssh -i “awsireland.pem” [email protected]
Step 8: To confirm that the private servers can connect to the Internet, update the packages on your private server
This will show that the private server is now connected to the internet via NAT gateway.
[divider /]
[divider /]
Important Points to Keep in Mind
Security Groups cannot be associated with a NAT gateway. To control outbound and inbound traffic, you can associate security groups with the resources behind it.
To control traffic to and from your NAT gateway’s subnet, you can use an ACL in the network.
The public subnet must contain the NAT gateway.
To point Internet-bound traffic to your NAT gateway, you will need to update the route table associated to one or more private subnets after creation. This allows instances within your private subnets communicate with the internet.
TCP, UDP and ICMP are supported by a NAT gateway.
