{"id":23915,"date":"2015-07-28T15:55:31","date_gmt":"2015-07-28T10:25:31","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=23915"},"modified":"2015-07-29T11:38:24","modified_gmt":"2015-07-29T06:08:24","slug":"configure-nat-instance-on-aws","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/configure-nat-instance-on-aws\/","title":{"rendered":"Configure NAT Instance  on AWS"},"content":{"rendered":"<p>The purpose of this blog post is to configure NAT (network address translation) instance on AWS by setting up customized Virtual Private Cloud (VPC) . <a title=\"AWS EC2 Instances Consulting Services\" href=\"http:\/\/www.tothenew.com\/devops-aws\">AWS EC2 Instances<\/a> that we have\u00a0launched into a private sub-nets in a VPC can&#8217;t communicate with the Internet. So we use\u00a0NAT instance launched in our public sub-net in our\u00a0VPC to enable instances in the private sub-nets to initiate outbound traffic to the Internet, but prevent the instances from receiving inbound traffic by someone on the Internet for security reasons.NAT is a methodology of remapping one IP address into another by modifying network address information in internet protocol data-gram packet headers while they are in transit across a traffic routing device.<\/p>\n<p>NAT is the process where a network device, usually a firewall, assigns a public address to a server\u00a0(or group of servers) inside a private network. The main use of NAT is to limit the number of public IP addresses for both economy and security purposes.<\/p>\n<p><strong>Brief Overview to configure NAT instance on AWS ::<\/strong><\/p>\n<ul>\n<li>Create a VPC with two sub-nets (Public and Private Sub-net)<\/li>\n<li>Launch Instance in each sub-net.<\/li>\n<li>Modify the security groups (Inbound &amp; outbound rules) for each instance launched in public and private sub-net.<\/li>\n<li>Download NAT instances AMI (Amazon Machine Image) from AWS Community AMI&#8217;s<\/li>\n<li>Edit routing tables<\/li>\n<li>Disabling Source\/Destination Checks for NAT instance.<\/li>\n<\/ul>\n<p><strong>Steps to configure NAT<\/strong>:<\/p>\n<ul>\n<li>Create a VPC &#8220;<strong>Nat_Testing_VPC<\/strong>&#8221; with two sub-nets \u00a0one &#8220;<strong>Nat_Testing_Private<\/strong>&#8221; \u00a0and other &#8220;<strong>Nat_Testing_Public<\/strong>&#8220;<\/li>\n<li>We launch our NAT instance AMI in Public sub-net &#8220;<strong>Nat_Testing_Public<\/strong>&#8221; \u00a0inside our VPC &#8220;<strong>Nat_Testing_VPC<\/strong>&#8220;<\/li>\n<\/ul>\n<p>VPC &#8220;<strong>Nat_Testing_VPC<\/strong>&#8221; \u00a0CIDR range : 10.0.0.0\/24<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-23930\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/NAT.png\" alt=\"NAT\" width=\"647\" height=\"183\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u00a0Sub-nets<\/strong> CIDR range:&#8221;<strong>Nat_Testing_Private<\/strong>&#8221; :10.0.0.128\/25<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-23937\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/Screenshot-from-2015-07-27-143207.png\" alt=\"Screenshot from 2015-07-27 14:32:07\" width=\"642\" height=\"204\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>CIDR range:&#8221;<strong>Nat_Testing_Public<\/strong>&#8220;:10.0.0.0\/25<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-23938 size-full\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/Screenshot-from-2015-07-27-143428.png\" alt=\"\" width=\"651\" height=\"210\" \/><\/p>\n<ul>\n<li>\u00a0Modify the security groups (Inbound &amp; outbound rules) for each instance launched in public and private sub-net.<\/li>\n<\/ul>\n<p>Security Group for NAT\u00a0Instance .<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-23945\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/Screenshot-from-2015-07-27-144911.png\" alt=\"Screenshot from 2015-07-27 14:49:11\" width=\"633\" height=\"582\" \/><\/p>\n<p>Security Group for \u00a0Instances in &#8220;<strong>Nat_Testing_Private&#8221; <\/strong>sub-net.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-23942\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/Screenshot-from-2015-07-27-144318.png\" alt=\"Screenshot from 2015-07-27 14:43:18\" width=\"636\" height=\"553\" \/><\/p>\n<ul>\n<li>To route the traffic to our VPC \u00a0&#8220;<strong>Nat_Testing_Public&#8221; <\/strong>then<strong>\u00a0<\/strong>we create the igw &#8220;<strong>AEM_igw<\/strong>&#8221; (Internet Gateway) and attach it to VPC<strong> &#8220;<strong>Nat_Testing_Public&#8221;.<\/strong><\/strong><\/li>\n<\/ul>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-23949\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/Screenshot-from-2015-07-27-145737.png\" alt=\"Screenshot from 2015-07-27 14:57:37\" width=\"647\" height=\"222\" \/><\/p>\n<ul>\n<li>By launching NAT instance \u00a0in public sub-net &#8220;<strong>Nat_Testing_Public<\/strong>&#8221; \u00a0inside our VPC &#8220;<strong>Nat_Testing_VPC<\/strong>&#8221; by using\u00a0the AMI from &#8220;<strong>Community AMI<\/strong>&#8220;. Search the AMI by name &#8220;<b>amzn-ami-vpc-nat<\/b>&#8220;.<\/li>\n<\/ul>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-23953\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/Screenshot-from-2015-07-27-150228.png\" alt=\"Screenshot from 2015-07-27 15:02:28\" width=\"648\" height=\"274\" \/><\/p>\n<p>Note: Please enable the auto assign public ip for NAT instance (only for instances launched in\u00a0<strong>Nat_Testing_Public<\/strong>\u00a0sub-net )<\/p>\n<ul>\n<li>A route table specifies how packets are forwarded between the sub-nets within your VPC, the Internet, and your VPN connection so we need to create routing table &#8220;<strong><strong>Nat_Testing_Routing_public<\/strong><\/strong>&#8221; for the same.<\/li>\n<\/ul>\n<p><strong>Note:<\/strong><b>Next step to edit the ROUTES in our Routing table &#8220;<strong><strong>Nat_Testing_Routing_public&#8221;<\/strong><\/strong><\/b><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-24148\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/Screenshot-from-2015-07-28-121448.png\" alt=\"Screenshot from 2015-07-28 12:14:48\" width=\"671\" height=\"192\" \/><br \/>\nWith this entry, we define routes for Internet via Internet Gateway attached to our VPC.<\/p>\n<ul>\n<li>By Associate public sub-nets \u00a0with below routing table<strong><strong>\u00a0&#8220;Nat_Testing_Routing_public<\/strong><\/strong><strong>&#8220;.<\/strong><\/li>\n<\/ul>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-24150\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/Screenshot-from-2015-07-28-124309.png\" alt=\"Screenshot from 2015-07-28 12:43:09\" width=\"651\" height=\"237\" \/><\/p>\n<ul>\n<li>By Default in AWS account we get default Routing table called Main Routing table and<strong>\u00a0<\/strong>we are not going to make changes in the Main Routing Table.(Not recommended to make changes in MAIN routing table )<\/li>\n<li>So we created new routing table &#8220;<strong>Nat_Testing_Routing_private<\/strong>&#8221; and attached &#8220;<strong>Nat_Testing_Private<\/strong>&#8221; sub-net through Sub-nets Associations\u00a0to\u00a0initiate traffic flow. In below image Routes for this table.<\/li>\n<\/ul>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-24139\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/07\/Screenshot-from-2015-07-28-113951.png\" alt=\"Screenshot from 2015-07-28 11:39:51\" width=\"657\" height=\"194\" \/><br \/>\n<b>Note :: <\/b>[0.0.0.0\/0 eni-dd2d1395 \/ i-2cf26dfc ] (0.0.0.0\/0 nat-instance-id) Routing Table to route the traffic\u00a0from EC2 instances in private sub-nets to internet through NAT instance.<\/p>\n<p>Status is showing Black Hole because my NAT instances are in stop state.<\/p>\n<ul>\n<li><strong>Last step to Disabling Source\/Destination Checks for NAT instance<\/strong><\/li>\n<\/ul>\n<p>Each EC2 instance performs source\/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source\/destination checks on the NAT instance<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The purpose of this blog post is to configure NAT (network address translation) instance on AWS by setting up customized Virtual Private Cloud (VPC) . AWS EC2 Instances that we have\u00a0launched into a private sub-nets in a VPC can&#8217;t communicate with the Internet. So we use\u00a0NAT instance launched in our public sub-net in our\u00a0VPC to [&hellip;]<\/p>\n","protected":false},"author":215,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":37},"categories":[1174,1],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/23915"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/215"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=23915"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/23915\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=23915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=23915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=23915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}