Best IT Recipes

AWS VPC - Internet Gateway Against NAT

What is an internet gateway? What is a NAT instance? What services do they offer?

Reading the AWS VPC documentation, I'm going to, they both map private IP addresses to addresses addressed to Internet routes for outgoing requests, and forward incoming responses from the Internet to the requestor on the subnet.

So what is the difference between the two? In what scenarios do I use a NAT instance instead of (or in addition) an Internet gateway? Are they mainly EC2 instances using some network applications, or are they special equipment such as a router?

Instead of just providing links to AWS documentation, can you explain this by adding some information about what public and private subnets are, so that any newbie with limited network knowledge can easily understand them? Also, when should I use a NAT gateway instead of a NAT instance?

PS I'm new to AWS VPC, so I could compare apples to oranges here.

+46
amazon-web-services amazon-vpc
Aug 01 '16 at 1:55 on
source share
3 answers

Internet gateway

An Internet gateway is a logical connection between Amazon VPC and the Internet . This is not a physical device. Only one can be associated with each VPC. It does not limit the bandwidth of the Internet connection. (The only bandwidth limit is the size of the Amazon EC2 instance, and it applies to all traffic — internal to the VPC and the Internet.)

If the VPC does not have an Internet gateway, access to resources in the VPC is not accessible from the Internet (if traffic does not pass through the corporate network and VPN / Direct Connect).

A subnet is considered a Public Subnet if it has a route table that directs traffic to the Internet gateway.

NAT instance

A NAT instance is an Amazon EC2 instance configured to forward traffic to the Internet. It can be launched from an existing AMI, or it can be configured through user data as follows:

#!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 0.0.0.0/0 -j MASQUERADE /sbin/iptables-save > /etc/sysconfig/iptables mkdir -p /etc/sysctl.d/ cat <<EOF > /etc/sysctl.d/nat.conf net.ipv4.ip_forward = 1 net.ipv4.conf.eth0.send_redirects = 0 EOF

Instances on the private subnet who want to access the Internet can redirect their Internet traffic to the NAT instance through the configuration of the route table. Then, the NAT instance will make a request to the Internet (since it is on the public subnet), and the response will be sent back to the private instance.

Traffic sent to a NAT instance is usually sent to an IP address that is not associated with the NAT instance itself (it will be for a server on the Internet). Therefore, it is important to disable the Source / target check option in the NAT instance, otherwise the traffic will be blocked.

NAT gateway

AWS introduced a NAT gateway service that can replace a NAT site. Advantages of using NAT Gateway service:

  • This is a fully managed service - just create one and it works automatically, including fail-over
  • It can tear up to 10 Gbps (NAT is limited by the bandwidth associated with the EC2 instance type)

However:

  • Security groups cannot communicate with NAT Gateway
  • You will need one in each AZ, since they only work in one AZ
+57
Aug 01 '16 at 4:36 on
source share

As for the NAT gateway or NAT instance, it will work. A NAT instance might be a little cheaper, but the NAT gateway is fully AWS-managed, so it has the advantage of not having to support an EC2 instance for NATing only.

However, for instances that should be available on the Internet, the gateway / NAT instances are not what you are looking for. NAT will allow private instances (without public IP) to access the Internet, but not vice versa. So, for EC2 instances that should be available on the Internet, you need to assign a public IP address. There is a workaround if you really need EC2 instances to be private - you can use an elastic load balancer to query requests.

Internet gateways

An Internet gateway is how your VPC connects to the Internet. You use an Internet gateway with a route table to tell VPC how Internet traffic goes to the Internet.

An Internet gateway appears in VPC as just a name. Amazon manages the gateway, and there is nothing you really talk about (other than use or not, remember that you may need a fully segmented subnet that cannot access the Internet at all).

Public subnet means a subnet in which Internet traffic is routed through the AWS Internet Gateway. Any instance within a public subnet can have a public IP assigned to it (for example, an EC2 instance with the “associated public IP address” enabled).

Private subnet means instances are not accessible from the Internet. They do not have a public IP address. For example, you cannot access them directly through SSH. Instances on private subnets can still access the Internet itself (i.e., using a NAT gateway).

+27
Aug 01 '16 at 2:05
source share

An Internet gateway is used to connect vpc to the Internet, and a NAT gateway is used to connect a private subnet to the Internet (which means that traffic flows to a private instance of the subnet, which will be redirected to the NAT gateway). you need to redirect traffic in the route table to NAT

Route table 0.0.0.0/0

0
Jul 12 '17 at 2:27
source share


More articles:


All Articles