Setting up the NAT Gateway to achieve a secured WordPress environment on the AWS platform for Companies.

NAT gateway rules and limitations

  • A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps. If you require more, you can distribute the workload by splitting your resources into multiple subnets, and creating a NAT gateway in each subnet.
  • You can associate exactly one Elastic IP address with a NAT gateway. You cannot disassociate an Elastic IP address from a NAT gateway after it’s created. To use a different Elastic IP address for your NAT gateway, you must create a new NAT gateway with the required address, update your route tables, and then delete the existing NAT gateway if it’s no longer required.
  • A NAT gateway supports the following protocols: TCP, UDP, and ICMP.
  • You cannot associate a security group with a NAT gateway. You can use security groups for your instances in the private subnets to control the traffic to and from those instances.
  • You can use a network ACL to control the traffic to and from the subnet in which the NAT gateway is located. The network ACL applies to the NAT gateway’s traffic. A NAT gateway uses ports 1024–65535. For more information, see Network ACLs.
  • When a NAT gateway is created, it receives a network interface that’s automatically assigned a private IP address from the IP address range of your subnet. You can view the NAT gateway’s network interface in the Amazon EC2 console. For more information, see Viewing details about a network interface. You cannot modify the attributes of this network interface.
  • A NAT gateway cannot be accessed by a ClassicLink connection that is associated with your VPC.
  • You cannot route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of these connections.
  • A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors. These errors can be monitored by viewing the ErrorPortAllocation CloudWatch metric for your NAT gateway. For more information, see Monitoring NAT gateways using Amazon CloudWatch.
Custom VPC created
public-subnet and private-subnet are just names.
Internet Gateway
Route Table.
WordPress instance in Public Subnet
NAT Gateway
A routing table associated with the private subnet.
MySQL part of the Private Subnet
provider "aws" {
region = "ap-south-1"
profile = "gaurav"
}
################ Creating VPC ##############################resource "aws_vpc" "gaurav-vpc" {
cidr_block = "192.168.0.0/16"
enable_dns_hostnames = true
instance_tenancy = "default"
tags = {
Name = "gaurav-vpc-task3"
}
}
################ Creating VPC ############################################## Creating Public and Private Subnet ##############################resource "aws_subnet" "public-subnet" {
vpc_id = aws_vpc.gaurav-vpc.id
cidr_block = "192.168.1.0/24"
availability_zone = "ap-south-1a"
tags = {
Name = "public_subnet"
}
}
resource "aws_subnet" "private-subnet" {
vpc_id = aws_vpc.gaurav-vpc.id
cidr_block = "192.168.2.0/24"
availability_zone = "ap-south-1b"
tags = {
Name = "private_subnet"
}
}
################ Creating Public and Private Subnet ####################################### Creating Security Group for Public instance and Private instance########resource "aws_security_group" "public_subnets_wordpress_SG" {
name = "public_gaurav_vpc"
description = "ssh,http"
vpc_id = aws_vpc.gaurav-vpc.id
ingress {
description = "ssh"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "http"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "public_subnets_wordpress_SG"
}
}
resource "aws_security_group" "private_subnets_mysql_SG" {
name = "private_gaurav_vpc"
description = "ssh,http for private access only "
vpc_id = aws_vpc.gaurav-vpc.id
ingress {
description = "mysql"
from_port = 3306
to_port = 3306
protocol = "tcp"
security_groups = [ "${aws_security_group.public_subnets_wordpress_SG.id}" ]
}
ingress {
description = "ssh"
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = [ "${aws_security_group.public_subnets_wordpress_SG.id}" ]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "private_subnets_mysql_SG"
}

}
######### Creating Security Group for Public instance and Private instance################### Creating an Internet Gateways ###########resource "aws_internet_gateway" "gateway" {
vpc_id = aws_vpc.gaurav-vpc.id
tags = {
Name = "gaurav-vpc-task3-gateways"
}
}
########### Creating an Internet Gateways ###################### Creating Routing table and binding it with Public Subnet###########resource "aws_route_table" "r" {
vpc_id = aws_vpc.gaurav-vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gateway.id
}
tags = {
Name = "public_subnets_routing_tables"
}
depends_on = [
aws_internet_gateway.gateway
]
}
resource "aws_route_table_association" "a" {
subnet_id = aws_subnet.public-subnet.id
route_table_id = aws_route_table.r.id

depends_on = [
aws_subnet.public-subnet

]
}resource "aws_eip" "byoip-ip" {
vpc = true
public_ipv4_pool = "amazon"
}
resource "aws_nat_gateway" "gw" {
depends_on = [aws_eip.byoip-ip]
allocation_id = "${aws_eip.byoip-ip.id}"
subnet_id = "${aws_subnet.public-subnet.id}"
}
######## Creating subnet association ######

######### Launch EC2-instance in public instance ######
resource "aws_instance" "instance1" {
ami = "ami-0447a12f28fddb066"
instance_type = "t2.micro"
subnet_id = aws_subnet.public-subnet.id
key_name = "deployer-key"
associate_public_ip_address = true
vpc_security_group_ids = [ "${aws_security_group.public_subnets_wordpress_SG.id}" ]
tags = {
Name = "WordPress"
}

}

##### routing tables #######
resource "aws_route_table" "route_for_nat" {
vpc_id = aws_vpc.gaurav-vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_nat_gateway.gw.id}"
}
tags = {
Name = "private_subnet_routing_tables"
}
depends_on = [
aws_nat_gateway.gw
]
}
######## subnet association with private subnet ###
resource "aws_route_table_association" "routetable" {
subnet_id = "${aws_subnet.private-subnet.id}"
route_table_id = "${aws_route_table.route_for_nat.id}"

depends_on = [
aws_subnet.private-subnet

]
}
######### Launch EC2-instance in private instance ######resource "aws_instance" "instance2" {
ami = "ami-0732b62d310b80e97"
instance_type = "t2.micro"
subnet_id = aws_subnet.private-subnet.id
key_name = "deployer-key"
associate_public_ip_address = false
vpc_security_group_ids = [ "${aws_security_group.private_subnets_mysql_SG.id}" ]

tags = {
Name = "MySQL"
}

}
output "public_ip" {
value = aws_instance.instance1.public_ip
}
output "private_ip" {
value = aws_instance.instance2.private_ip
}
WordPress and MySQL Instance created.
VPC Created
Subnets created.
Security Group with Inbound Rules HTTP and SSH.
Security Group with Inbound Rules MySQL and SSH.
Internet Gateway Created.
Route Table Created.
Route Table Created
NAT Gateway created
Practical assumptions.
Deleting complete infrastructure

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store