3

This question was originally posted to stack overflow, they suggested I repost it here (https://stackoverflow.com/questions/76715004/aws-nat-instance-setup).

I am currently learning the AWS cloud and decided to build the following architecture as a challenge:

  • A VPC with a public and private subnet. The public subnet has access to the internet via an internet gateway.
  • A NAT EC2 instance in the public subnet, that should act as a NAT gateway to allow instances in the private subnet access to the internet.
  • An instance in the private subnet to test the internet connectivity.

I have the following documentation as a reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

However after countless tries I was not able to allow the private instance access to the internet. I will outline all the steps I took. They should match those in the documentation.

  • Create the VPC: use the aws console to create a default vpc with 2 subnets (1 public, 1 private) in 1 AZ.

enter image description here

All settings are as default, the NACL should allow everything, and the public route table points 0.0.0.0/0 to the igw, and both route tables point the vpc cidr to local.

  • Create a private instance in the private subnet:

I used default settings except I selected the private subnet, did not assign a public IP, and used a custom securty group (troubleshooting-sg), which should allow everything (just to rule out the sg).

troubleshooting-sg:

enter image description here enter image description here

  • Create the NAT Instance:

I launch this instance in the public subnet, with AMI (Amazon Linux 2023 AMI 2023.1.20230705.0 x86_64 HVM kernel-6.1).

I set Auto-assign public IP to true.

I use the troubleshooting-sg.

Upon creation I disable destionation/source checking in the networking configuration (this cannot be disabled in the creation panel, or I could not find it).

enter image description here

I ssh into the NAT instance in order to configure iptables. I run the following commands:

sudo yum update -y
sudo sysctl -w net.ipv4.ip_forward=1
sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo yum install -y iptables-services
sudo systemctl enable iptables.service
sudo systemctl start iptables.service

enter image description here

The NAT instance configuration is done.

  • Update the private route table to point to the NAT instance.

enter image description here

0.0.0.0/0 should be routed to the NAT instance.

Testing:

I ssh into the NAT instance. Internet access is verified.

From the NAT instance I ssh into the private instance using ssh keys.

From this instance I don't have internet access:

enter image description here

Just for reference, If I remove the NAT instance from the private route table I get the following:

enter image description here

I am not really sure how to continue. It seems the problem is the configuration for the NAT instance, but I have followed (I think) all necessary steps.

I would love some ideas on how to further troubleshoot this.

Thanks!

lobis
  • 31
  • 2
  • Use a NAT gateway rather than a NAT instance. They cost more, but for learning it's much simpler. You'll need a separate route table for public and private subnets, private subnet route table routes 0.0.0.0/0 to NAT gateway, public subnet route table routes 0.0.0.0/0 to internet gateway. – Tim Jul 18 '23 at 21:57
  • You seem to be doing everything right (private Route Table pointing to NAT Instance, turning off Source/Dest Check). Are you sure the 'commands' are correctly creating a NAT Instance. I see it is mostly similar to the script shown on [NAT instances - Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html), but _perhaps_ it isn't doing what's expected? – John Rotenstein Jul 18 '23 at 23:08
  • I know using a NAT gateway is a better choice for a real world scenario but I wanted to check if I was able to make a NAT instance, which should be possible. I think the problem is 100% with the NAT instance, there must be something wrong with it, but I cannot find out what, or how to troubbleshoot it. I endeed up using a different solution for the problem the NAT instance would solve, but I still would love to be able to create the NAT instance. – lobis Jul 19 '23 at 06:09
  • I haven't used a NAT instance in many years. I vaguely recall you should use a particular instance made for that function. I could be wrong. – Tim Jul 19 '23 at 08:11

1 Answers1

1

Mostly looks OK, the only obvious issues I see here are that the following commands:

sudo sysctl -w net.ipv4.ip_forward=1
sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Won't survive a reboot. Further, enabling/starting the iptables service will probably have deleted any iptables commands you entered manually - you can check with:

sudo iptables -L

And check the forwarding with

cat /proc/sys/net/ipv4/ip_forward

Once you have the iptables config working, then I believe the command to save the settings is:

iptables-save > /etc/sysconfig/iptables

For the sysctl stuff, add a new file in /etc/sysctl.d/ (see /etc/sysctl.conf for syntax)

symcbean
  • 21,009
  • 1
  • 31
  • 52