Walkthrough setting up AWS NAT Instances: The multipurpose instance

Rakesh kanagaraj
Jan 15, 2018 · 3 min read

Yes, the multipurpose instance which can be used for NAT’ting the private subnets to the internet, used for port forwarding, used as a bastion host, well as OpenVpn host too.

We are going to see how the Linux box is able to communicate to internet with public ip associated to instance

In a scenario like tier 2 & tier 3 architect the instance are secured from the internet host like above segregating with a public and private subnet. The private subnet doesn’t have internet gateway attached to communicate with resources on the internet. Basically, database server. But these instances do require access to the internet to update patches or other third-party sites.

AWS supports TWO methods of NAT’ting, NAT Gateway and NAT Instance check for the comparison here


Prerequisite to setup NAT Instance:

  1. Create custom vpc with a public and private subnet.
  2. Create an instance for NAT using amazon Linux in public subnet with the new security group.
  3. Attach Elastic IP to the NAT instance
  4. Create a Linux instance in a private subnet

Setting up NAT Instance

  1. In AWS console, select NAT Instance and disable source/destination check
Click on

2. SSH into the NAT instance, set the ip port forwarding to 1.

vi /etc/sysctl.conf

3. Update the iptables with POSTROUTING

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE

Change/Adjust the private subnet based on your architect ip
verifying the iptable rule

4. Setting up the security group of NAT Instance:

Add the security group/desired server ip of private subnet which requires outbound traffic to internet

Security group linux box instance added as inbound to NAT Instance

5.Create a custom route for the private subnet to route traffic through NAT Instance:

Under VPC > Route Table, create a new route table for NAT under the custom VPC you have created,

~ Add NAT instance as the target

~ Add private subnet to subnet associations to route the traffic.

6. Almost done :) !! Login to the Linux Box in private subnet

~ Linux Box has only private IP

~ Ping google.com | Reachable to internet through NAT Instance

~ Trace route to verify whether it is routing through NAT Instance

192.168.2.15 is the NAT Instance IP, traffic is routed through it.

Thanks !! :)


To have iptables persistent on reboot add the rules to:

/etc/rc.local

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade