1

Our aim is to get our Elastic Beanstalk setups to route traffic through a NAT gateway as we require for certain traffic connecting to API's which require IP whitelisting. Rather than make modifications to the current setup, I have created a separate/isolated VPC & EC2 instance to familiarise and test the setup. However I am yet to get the setup working as desired.

Here is the setup

  • VPC (vpc-77049811) with CIDR of 10.0.0.0/16
  • Internet gateway (igw-4d4b212a) assigned to mentioned VPC
  • Subnet (subnet-096d8a53) with CIDR of 10.0.1.0/24
  • NAT Gateway (nat-00bb49204627de7e6) attached to mentioned subnet and assigned Elastic IP
  • Route table attached to mentioned VPC and associate with mentioned subnet
  • 1x EC2 Instance assigned to VPC and its own Elastic IP and Disabled Source/Destination Check

Route Table Setup

10.0.0.0/16     local
0.0.0.0/0       igw-4d4b212a

With the above setup, and am able to log into the server and make a curl request to get the servers public IP address (curl icanhazip.com). As soon as I add a rule to the route table for the url's resolved IP's to route through the NAT gateway though, I am unable to ping or request the curl request as it will timeout.

Rules added to route table which do not work

45.63.64.111/32     nat-00bb49204627de7e6
144.202.71.30/32    nat-00bb49204627de7e6

Not sure if I've overlooked something here or maybe I have misunderstood the concept and use cases for the NAT gateway?

synkyo
  • 430
  • 5
  • 17

2 Answers2

2

This is public IP 45.63.64.111. You need IGW to reach to this traffic.

  1. You either do that by directly redirecting your traffic to IGW OR
  2. You do that by directing to NAT then further directing that traffic to IGW

Directing to IGW part is missing.

Nat gateway is used for EC2 in private subnets (which does not have IGW attached to it). In scenario above, EC2 is in public subnet so ideally it does not need NAT.

Here is what I would do to use NAT- 1. Place EC2 in private subent. and have a Route table where all outgoing traffic to nat-gateway. 2. Nat-gateway which is in public subnet will forward your traffic to IGW.

Aniket Chopade
  • 801
  • 5
  • 12
  • I tried placing the EC2 instances in a private subnet with the route table rules and the NAT gateway and I could confirm that the traffic was routed via the NAT, however these EC2 instances were not accessible when I added them to a load balancer. I need to be able to have all traffic (or just certain IP's) for the EC2 instances routed via NAT, but still have these EC2 instances publicly accessible via a load balancer. Any ideas? – synkyo Apr 16 '18 at 12:19
  • Because of the local route in each routing table, the load balancer should be able to connect to the instance. The only thing that might prevent that would be security group rules. – chris Apr 17 '18 at 01:48
  • The instance shows as InService and the ELB and EC2 are both using the same security group which allows all traffic in and out from any source. – synkyo Apr 17 '18 at 08:02
  • okay, then next step would be to check load balancer's access logs. This will show whether your request were rejected by ELB or EC2. Also, please inspect your Security Groups and NACL's carefully. – Aniket Chopade Apr 18 '18 at 02:31
  • I enabled and checked the ELB logs and saw no requests were coming through. So I focused on looking at the ELB and it turns out the ELB was actually inside a private subnet as when you create a ELB it asks which subnets you wish to route traffic too and I had not realised it does not ask you which subnet/Availability Zone to place the ELB in and actually places it inside one of the subnets selected for routing. – synkyo Apr 19 '18 at 09:06
  • So to resolve this I created a new ELB and selected a public subnet to route traffic to. Then I went back to modify the ELB, changed the availability zones to the private subnets and enabled Cross-Zone Load Balancing and then added the EC2's within the private subnet and now everything works! – synkyo Apr 19 '18 at 09:07
1

It seems like you have misunderstood the purpose of a NAT.

Its purpose is to provide outbound internet access to instances in a private subnet without allowing any inbound connectivity - i.e. a subnet where the routing table does NOT have an entry for:

0.0.0.0/0       igw-4d4b212a

If you want to restrict access from your EC2 instance to specific IP addresses, put your NAT in the public subnet, create a private subnet, and put your instance in the private subnet. Then add the two routes to the route table associated with the private subnet:

45.63.64.111/32     nat-00bb49204627de7e6
144.202.71.30/32    nat-00bb49204627de7e6

If you simply want to restrict access of your EC2 instance to a couple of IP addresses, you can only create routes for those addresses:

45.63.64.111/32     igw-4d4b212a
144.202.71.30/32    igw-4d4b212a

Be aware that with this last option, your instance can be reached from the internet if you have rules open in your security groups.

chris
  • 36,094
  • 53
  • 157
  • 237
  • I tried your first solution which did work, however these are web nodes which need to be part of a load balanced environment, when I add these nodes to the load balancer, they are inaccessible, which of course makes sense due to the route tables. Are you able to offer any further advice/solutions on how I can have all outgoing traffic from the servers inside the private subnet routed via the NAT (or just the traffic for the 2 IP's), yet still have the nodes publicly accessible via a load balancer? – synkyo Apr 16 '18 at 12:07
  • I forgot to mention that with the route table rules in the private subnet, I set the rule to 0.0.0.0/0 nat-00bb49204627de7e6 instead of specifying the 2 IP's – synkyo Apr 16 '18 at 12:16
  • Is it possible to create an architecture where the target IP is dynamic ? I am talking about IP-restrictions for Google API keys, for example : I need a static IP but the issue is that Google Servers IP are not static. Can this work with a NAT Gateway, or is there another solution ? – Paganel Oct 24 '18 at 17:04