4

An Internet gateway serves two purposes: to provide a target in your VPC route tables for Internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

Source: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html

If the instances mentioned above have public IPv4 addresses, why does the Internet Gateway need to perform Network Address Translation? It would be great to have an example of a network flow that would be broken for a scenario with

  • VPC subnet with Internet Gateway attached
  • instances in that VPC subnet with IP addresses (Elastic IPs in AWS VPC parlance) in the public IP address space
  • hosts on the Internet unable to send packets to these instances without the Internet Gateway performing NAT
yangmillstheory
  • 1,055
  • 13
  • 31

2 Answers2

5

Despite of EC2 ( or to be specific: ENI associated with that EC2) instance having associated with public IP address. It is not aware about it!

This is from the same URL which was shared in original link. " Your instance is only aware of the private (internal) IP address space defined within the VPC and subnet"

This means all network traffic which is going out/coming in to ENI is via private IP address.

If you look at the diagram on the same page, you will see a router. This router

  • Does routing within VPC across all its subnets
  • Does routing to Internet gateway

EC2/ENI will interact with this router.

After router directs traffic to Internet Gateway (IGW): IGW have mapping of (public ip - private ip ) of EC2 instances within that VPC.

Steps of EC2 sending traffic to Internet

  • EC2 with private 10.0.1.1 IP sends request to google.com (curl google.com) or tried to access public aws construct like s3
  • Let's assume that this is public subnet. So Router associated with this subnet will forward this traffic to default route (0.0.0.0/0) to IGW
  • IGW looks up its internal table (private ip: public ip). Does NAT translation using that table.

I would have liked to describe your scenario but I did not understand why IGW will not perform NAT.

Aniket Chopade
  • 801
  • 5
  • 12
5

The instance side of an ENI only has a private address. Public addresses are done by associating an Elastic IP or assigning a public address. Mapping of these public addresses comes from the NAT functionality of the Internet Gateway.

Your instance is only aware of the private (internal) IP address space defined within the VPC and subnet. The Internet gateway logically provides the one-to-one NAT on behalf of your instance, so that when traffic leaves your VPC subnet and goes to the Internet, the reply address field is set to the public IPv4 address or Elastic IP address of your instance, and not its private IP address. Conversely, traffic that's destined for the public IPv4 address or Elastic IP address of your instance has its destination address translated into the instance's private IPv4 address before the traffic is delivered to the VPC.

Quote from the same documentation linked in the question.

The flow for inbound traffic is Public Address -> Internet Gateway -> Private Address.

If the hosts are in a subnet without a route table that has a default route defined through the IGW, then the instance will not be able to return traffic.

Steve Buzonas
  • 5,300
  • 1
  • 33
  • 55