2

I am looking for a best practice to set up a reverse proxy providing access to a private instance (for example a web server).

I thought it would be possible to do this:

  • create a VPC with one private subnet

  • launch the reverse proxy instance, give it two NICs, on in the private subnet, one with the auto assigned public IP

  • launch the web server instance in the private subnet

This is not possible because the auto assigned public IP can't be assigned to a NIC.

Then, I found an article outlining Amazon's recommended practice to do this.

  • Set up a VPC with one public and one private subnet, with according security groups and an elastic IP with a NAT gateway
  • Launch the instances, the reverse proxy in the public, the other server in the private subnet
  • The NAT gateway connects the public and private subnet

I do not understand what I need the NAT gateway and EIP for in this scenario. With a machine with an auto assigned public IP and a NIC in the private subnet this should work aswell shouldnt it?

What is your best practice to do this in AWS?

valh
  • 21
  • 1
  • 2
  • 1
    You **always** need either a NAT Gateway (which always requires an EIP) or NAT Instance any time you have an instance on a private subnet that needs to fetch **anything** from the Internet, such as downloading patches or even keeping the system clock accurate with ntpd. Explained in detail in [Why Do We Need Private Subnets in VPC?](http://stackoverflow.com/a/22212017/1695906) – Michael - sqlbot Mar 15 '17 at 17:06
  • I don't think you've properly understood best practice in that linked document. NAT gateways are for traffic outgoing to the internet, subnets are connected by routing. – Tim Mar 15 '17 at 17:59
  • @Michael-sqlbot thanks for the clarification! So in theory I could set up a NAT instance instead of a NAT gateway and only start it up when my private system downloads updates right? That would be a lot cheaper than having the NAT gateway running 24/7 as far as I understood from the AWS pricing list – valh Mar 16 '17 at 09:10
  • 1
    Technically, yes, but you can build a NAT instance on a t2.nano and leave it running 24/7 for about $5/mo. And you don't need 2 NICs on the reverse proxy... I think you are lacking some info on how networking works in VPC. As mentioned at the link, above, machines with public IP addresses don't actually have their public IP bound to their network stack -- the Internet Gateway maps the public IP onto the instance's private IP. – Michael - sqlbot Mar 16 '17 at 10:58

1 Answers1

1

A NAT instance is only useful for allowing a private instance to initiate outbound connections to the internet.

What you are looking for is an AWS Application Load Balancer or AWS Elastic Load Balancer that lives in your public subnet. It would have public IPs. Your webserver would be attached to the load balancer, and the load balancer would proxy the traffic back to your instance.

Jason Martin
  • 5,023
  • 17
  • 24