2

Attempting to following https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/ , I have the following components:

  • NAT Gateway nat-aaa
  • Subnet subnet-aaa configured to host nat-aaa
  • Route Table rtb-bbb configured with route:
    • 0.0.0.0/0 -> nat-aaa
  • Subnet subnet-bbb configured to use route table rtb-bbb
  • EC2 instance id-ccc in subnet-bbb

id-ccc has a public IP, however whilst applied to subnet-bbb I am unable to make any connections directly do it via the public IP. Is an additional route needed on rtb-bbb to allow this? I was understanding that route tables are more of an outbound configuration and not responsible for inbound connections?

All subnets are using the same Network ACL, which is the VPC default of allow all inbound.

Improve this question
5
  • Does your security group open up the required port (22) to allow traffic? Commented Feb 2, 2017 at 17:02
  • Yes, it was all working fine before I introduced NAT Gateways, with security groups defined to allow only what was necessary. Commented Feb 3, 2017 at 7:46
  • Do you need a public IP for your instance id-ccc? If so is it for you to just SSH to it? Commented Feb 3, 2017 at 9:11
  • To clarify instance id-ccc is actually just 1 instance to simplify the example, actually I have a variable number of instances (usually around 9), each of which I need to SSH to. Commented Feb 3, 2017 at 9:29
  • The way you can achieve SSH'ing to instances in a private subnet with the traffic being routed through NAT gateways is to use a Bastion Server in public subnet. Commented Feb 3, 2017 at 11:18

1 Answer 1

Reset to default
2

You are correct that route tables only impact outgoing packets, not incoming packets.

A host with a public IP cannot use the NAT gateway. In that scenario you get an asymmmetrical route. The packet from the client directly reaches the server, then the return packet traverses the NAT instance and has its IP changed to the NAT instance and returns to the client. The client doesn't understand that return packet as it isn't associated with the requested connection.

Improve this answer
2
  • In this case, what are my options to circumvent. I suppose a VPN would be, but do route tables or NAT Gateway offer anything like port forwarding such as a router with NAT typically provides? Commented Feb 3, 2017 at 7:47
  • Here is a typical use case for mixing private/public network segments with NAT box: In a VPC you have 2 route tables, a 'public' and a 'private'. The 'public' subnets contains your NAT gatway, any public facing load balancers, and machines with public IP. Instances in the 'private' subnets can be reached via the ELB's, but cannot be reached directly themselves. Outgoing access from the 'private' subnets is via the nat boxes. If you were doing microservices you might create internal private only ELB's for use between APIs. For management, a VPN or 'bastion' host is used. Commented Feb 4, 2017 at 1:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.