0

I am currently using IGW in AWS is order to connect flask ec2s to outer api requests. I want to secure those servers from now on,

meaning - moving them into private ip ec2s and still getting api requests from outside.

I have tried using nat gw in order to communicate a private ip, but I see it is working only from inside to the internet and not the other way around.

How can I use nat gw for both directions (or any other solution for that matter), keeping the security of a private ip and a two way internet communication?

Yuval Ezrati
  • 61
  • 13

2 Answers2

1

NAT Gateways do not allow inbound traffic into them (they're designed for allowing a private instance to connect to the internet).

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.

If you want to allow inbound communication to an instance that is in a private IP the following should be performed:

  • For application ports (such as port 80 and 443) to allow public inbound access you would access these by putting a public load balancer in front of your application.
  • For management ports (such as 22 and 3389) you would connect either via a VPN Connection/Direct Connect connection or you would use a Bastion/Jump server in a public subnet to hop into your hosts (avoid this option if possible).
Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • Just to understand clearly - if I put nat gw and open the same instance to public lb it will work both ways? – Yuval Ezrati Jul 26 '20 at 08:31
  • Yes, people would communicate with load balancer to speak on http/https inbound and then your instance would speak outbound using the NAT – Chris Williams Jul 26 '20 at 08:34
  • 2
    To be clear, you don't need the NAT at all for users to communicate with your app through the public load balancer. The NAT would only be used in that instance for anything your servers need to access outside the VPC, such as to download Linux updates or something. – Mark B Jul 26 '20 at 13:45
1

NAT is used for the public outbound traffic.

For the public inbound traffic, use the Load Balancer with the publically opened security group and add the inbound rule from the load balancer to the API server. Then, the API server can be accessed by the load balancer only from the public.

Lamanus
  • 12,898
  • 4
  • 21
  • 47
  • If I have couple of servers in couple of ip addresses, do I need load balancer for each server? – Yuval Ezrati Jul 27 '20 at 09:05
  • You just need a couple of target groups, not the load balancer. You can split the target by host headers, ports, and so on. Create the listener and connect to the target group which contains the instances that you want. – Lamanus Jul 27 '20 at 14:09