Walkthrough setting up AWS NAT Instances: The multipurpose instance
Yes, the multipurpose instance which can be used for NAT’ting the private subnets to the internet, used for port forwarding, used as a bastion host, well as OpenVpn host too.
In a scenario like tier 2 & tier 3 architect the instance are secured from the internet host like above segregating with a public and private subnet. The private subnet doesn’t have internet gateway attached to communicate with resources on the internet. Basically, database server. But these instances do require access to the internet to update patches or other third-party sites.
AWS supports TWO methods of NAT’ting, NAT Gateway and NAT Instance check for the comparison here
Prerequisite to setup NAT Instance:
- Create custom vpc with a public and private subnet.
- Create an instance for NAT using amazon Linux in public subnet with the new security group.
- Attach Elastic IP to the NAT instance
- Create a Linux instance in a private subnet
Setting up NAT Instance
- In AWS console, select NAT Instance and disable source/destination check
2. SSH into the NAT instance, set the ip port forwarding to 1.
Reboot the instance or run the command sysctl -p for the rule to apply
3. Update the iptables with POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
4. Setting up the security group of NAT Instance:
Add the security group/desired server ip of private subnet which requires outbound traffic to internet
5.Create a custom route for the private subnet to route traffic through NAT Instance:
Under VPC > Route Table, create a new route table for NAT under the custom VPC you have created,
~ Add NAT instance as the target
~ Add private subnet to subnet associations to route the traffic.
6. Almost done :) !! Login to the Linux Box in private subnet
~ Linux Box has only private IP
~ Ping google.com | Reachable to internet through NAT Instance
~ Trace route to verify whether it is routing through NAT Instance
Thanks !! :)
To have iptables persistent on reboot add the rules to: