Walkthrough setting up AWS NAT Instances: The multipurpose instance

Yes, the multipurpose instance which can be used for NAT’ting the private subnets to the internet, used for port forwarding, used as a bastion host, well as OpenVpn host too.

We are going to see how the Linux box is able to communicate to internet with public ip associated to instance

In a scenario like tier 2 & tier 3 architect the instance are secured from the internet host like above segregating with a public and private subnet. The private subnet doesn’t have internet gateway attached to communicate with resources on the internet. Basically, database server. But these instances do require access to the internet to update patches or other third-party sites.

AWS supports TWO methods of NAT’ting, NAT Gateway and NAT Instance check for the comparison here

  1. Create custom vpc with a public and private subnet.
  2. Create an instance for NAT using amazon Linux in public subnet with the new security group.
  3. Attach Elastic IP to the NAT instance
  4. Create a Linux instance in a private subnet

Setting up NAT Instance

  1. In AWS console, select NAT Instance and disable source/destination check
Click on Yes,Disable

2. SSH into the NAT instance, set the ip port forwarding to 1.

vi /etc/sysctl.conf

Reboot the instance or run the command sysctl -p for the rule to apply

3. Update the iptables with POSTROUTING

iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

Change/Adjust the private subnet based on your architect ip
verifying the iptable rule

4. Setting up the security group of NAT Instance:

Add the security group/desired server ip of private subnet which requires outbound traffic to internet

Security group linux box instance added as inbound to NAT Instance

5.Create a custom route for the private subnet to route traffic through NAT Instance:

Under VPC > Route Table, create a new route table for NAT under the custom VPC you have created,

~ Add NAT instance as the target

~ Add private subnet to subnet associations to route the traffic.

6. Almost done :) !! Login to the Linux Box in private subnet

~ Linux Box has only private IP

~ Ping google.com | Reachable to internet through NAT Instance

~ Trace route to verify whether it is routing through NAT Instance is the NAT Instance IP, traffic is routed through it.

Thanks !! :)

To have iptables persistent on reboot add the rules to:


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store