6

I’m confused about Internet Gateway in AWS, if it says that in order for your VPC to access the internet you need a IGW why then when you create a EC2 instance with an EIP you automatically have access to the internet.

I then have this question that I haven't been able to answer:

Why then when you create an EC2 instance (which is created in the default VPC) in AWS and you assign an elastic IP you automatically have access to the internet if in the AWS documentation says that in order for your VPC to have access to the internet you need an Internet Gateway?

VaTo
  • 221
  • 6
  • 22

2 Answers2

6

A VPC requires an Internet Gateway (IGW) to communicate with the internet. A Virtual Private Gateway (VPN endpoint) can let you communicate with other networks such as corporate networks via a VPN, which could potentially give you an internet connection. VPC endpoints and PrivateLink give you other limited connectivity, such as private connectivity to S3, which usually goes over the Internet.

You can have a public IP address auto assigned without having an internet gateway. If you try to assign an Elastic IP to your instance when the VPC doesn't have an Internet Gateway it won't let you - the error message is

Network vpc-05054501693f2f5fb is not attached to any internet gateway

If you try to detach an internet gateway from a VPC that has an instance with an EIP you get this error message.

Detatch Error

I just tested all this to be double sure. It only took ten minutes to create a VPC and mess around a bit. That's the great thing about cloud / AWS, it's generally easy to work things out by trying them. It probably cost me $0.05.

Tim
  • 31,888
  • 7
  • 52
  • 78
3

To access the internet directly from an instance inside a VPC you need:

  1. An internet gateway (IGW) attached to the VPC
  2. A subnet with a route table that has a default route (0.0.0.0/0) via the IGW (known as a 'public subnet')
  3. A public IP or an Elastic IP attached to the instance (note you don't need an Elastic IP to access the internet, instances can have dynamic non-elastic IPs)
  4. A Security Group attached to the instance that allows the outbound traffic (which it does by default)
  5. Network ACLs associated to the subnet which allows the traffic (which it does by default)

These five points are a nice checklist to run through if you ever have issues with direct internet connectivity to an instance in a public subnet.

Note that in your question you mentioned deployment to the 'default VPC' - the default VPC already has an internet gateway and subnets with an appropriate route table setup - so you would not have needed to configure one.

You can also access the internet indirectly from a 'private subnet' - that is a subnet which does not have a default route via the IGW. There are many ways to do this, but one typical way is to deploy a NAT Gateway service into a separate public subnet (i.e. a subnet with a route table that does have a default route via the IGW), then define a new route table for your private subnet with a default route (0.0.0.0/0) via the NAT Gateway. This allows then outbound access to the internet not directly but via the NAT Gateway. Instances in the private subnet don't have a public or elastic IP at that point at all.

More details can be found here: Internet Gateways

And here: NAT Gateways

Alex Moore
  • 1,704
  • 5
  • 12
  • 2
    I understand your answer and that's why I'm confused. This is where I have the confusion: When I create an EC2 Instance according to what you are saying there's already an IGW attached to that default VPC. Then, this means that ONLY when I create MY OWN VPC is where I won't get an IGW automatically connected to that VPC and then in order for that newly created VPC to be able to access the internet, I will have to attach an IGW? Is this assumption correct? – VaTo Sep 02 '18 at 17:45
  • 1
    Also another question, I think IGW also perform NAT if I'm not mistaken, then in that case why would you need a NAT Gateway? – VaTo Sep 02 '18 at 17:47
  • 1
    Exactly, a VPC you create won't have an IGW by default, you need to create one. It is perfectly possible to have a VPC with resources that don't use an IGW. For example they might only use a VPN Gateway or use VPC peering to route out via another VPC, or even use Direct Connect (a physical connection to AWS). – Alex Moore Sep 02 '18 at 18:14
  • 1
    An IGW does perform a form of 1 to 1 NAT to public IPs that are mapped to instances - search for the term NAT on the internet gatways page. However, when you have a *private* subnet, that is one that does not have a route via an IGW - typically these are used for instances that should not be directly connected to from outside AWS (a backend server for example) - you may still want such a setup to allow outbound access (for example to download updates), then you can use a NAT Gateway in a public subnet and set your route from the private subnet to go to the internet via the NAT gateway. – Alex Moore Sep 02 '18 at 18:14
  • 1
    Technically there is nothing stopping you just using public subnets everywhere - after all security groups protect you. However by using a private subnet, even if you accidentally opened up the security group, there is no way for external access into that subnet from outside AWS directly, so its an extra layer of protection. Have a look here: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html – Alex Moore Sep 02 '18 at 18:14