AWS VPC NAT – NAT Gateway

AWS NAT

  • AWS NAT – Network Address Translation devices, launched in the public subnet, enables instances in a private subnet to connect to the Internet but prevents the Internet from initiating connections with the instances.
  • Instances in private subnets would need an internet connection for performing software updates or trying to access external services.
  • NAT device performs the function of both address translation and port address translation (PAT)
  • NAT instance prevents instances to be directly exposed to the Internet and having to be launched in a Public subnet and assigning of the Elastic IP address to all, which are limited.
  • NAT device routes the traffic, from the private subnet to the Internet, by replacing the source IP address with its address and it translates the address back to the instances’ private IP addresses for the response traffic.
  • AWS allows NAT configuration in 2 ways
    • NAT Gateway, managed service by AWS
    • NAT Instance

NAT Gateway

  • NAT gateway is an AWS managed NAT service that provides better availability, higher bandwidth, and requires less administrative effort.
  • A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 100 Gbps. For higher bursts requirements, the workload can be distributed by splitting the resources into multiple subnets and creating a NAT gateway in each subnet.
  • Public NAT gateway is associated with One Elastic IP address which cannot be disassociated after its creation.
  • Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone.
  • A NAT gateway supports the TCP, UDP, and ICMP protocols.
  • NAT gateway cannot be associated with a security group. Security can be configured for the instances in the private subnets to control the traffic.
  • Network ACL can be used to control the traffic to and from the subnet. NACL applies to the NAT gateway’s traffic, which uses ports 1024-65535
  • NAT gateway when created receives an elastic network interface that’s automatically assigned a private IP address from the IP address range of the subnet. Attributes of this network interface cannot be modified.
  • NAT gateway cannot send traffic over VPC endpoints, VPN connections, AWS Direct Connect, or VPC peering connections. The private subnet’s route table should be modified to route the traffic directly to these devices.
  • NAT gateway times out the connection if it is idle for 350 seconds or more. To prevent the connection from being dropped, initiate more traffic over the connection or enable TCP keepalive on the instance with a value of less than 350 seconds.
  • NAT gateways currently do not support the IPsec protocol.
  • A NAT gateway only passes traffic from an instance in a private subnet to the internet.

NAT Gateway High Availability

NAT Gateway vs NAT Instance

NAT Gateway vs NAT Instance

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. After launching an instance that you intend to serve as a NAT (Network Address Translation) device in a public subnet you modify your route tables to have the NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the Internet from an instance in the private subnet, you are not successful. Which of the following steps could resolve the issue?
    1. Attaching a second Elastic Network interface (ENI) to the NAT instance, and placing it in the private subnet
    2. Attaching an Elastic IP address to the instance in the private subnet
    3. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet, and placing it in the public subnet
    4. Disabling the Source/Destination Check attribute on the NAT instance
  2. You manually launch a NAT AMI in a public subnet. The network is properly configured. Security groups and network access control lists are property configured. Instances in a private subnet can access the NAT. The NAT can access the Internet. However, private instances cannot access the Internet. What additional step is required to allow access from the private instances?
    1. Enable Source/Destination Check on the private Instances.
    2. Enable Source/Destination Check on the NAT instance.
    3. Disable Source/Destination Check on the private instances
    4. Disable Source/Destination Check on the NAT instance
  3. A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306.. The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group?
    1. For Inbound allow Source: 20.0.1.0/24 on port 80
    2. For Outbound allow Destination: 0.0.0.0/0 on port 80
    3. For Inbound allow Source: 20.0.0.0/24 on port 80 (Refer NATSG)
    4. For Outbound allow Destination: 0.0.0.0/0 on port 443
  4. A web company is looking to implement an external payment service into their highly available application deployed in a VPC. Their application EC2 instances are behind a public facing ELB. Auto scaling is used to add additional instances as traffic increases. Under normal load the application runs 2 instances in the Auto Scaling group but at peak it can scale 3x in size. The application instances need to communicate with the payment service over the Internet, which requires whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an API. How should they architect their solution?
    1. Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the NAT instances
    2. Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway. (Internet gateway is only to route traffic)
    3. Whitelist the ELB IP addresses and route payment requests from the Application servers through the ELB. (ELB does not have a fixed IP address)
    4. Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a script on boot that adds each instances public IP address to the payment validation whitelist API. (would exceed the allowed 4 IP addresses)

22 thoughts on “AWS VPC NAT – NAT Gateway

  1. From section “NAT device Configuration Key Points”
    >>should have a Security group associated that
    >>allows Outbound Internet traffic from instances in the private subnet
    I think it should be just “allows Outbound Internet traffic” — there is no need (and src addresses cannot be specified for outbound rule in a security group) to specify that it should allow traffic from instances in private subnet. Is my understanding correct?

    1. NAT is used for instances in private subnet only. But within those instances not all would need to connect to internet and need to be completely isolated within the AWS network only.
      Security groups/CIDR address can be specified from which the NAT should accept the outbound internet traffic.

  2. For Question 3:
    >>c. Disable Source/Destination Check on the private instances
    should this instead be “Disable Source/Destination Check on the *nat* instance”. I believe disabling source/destination checks on the EC2 instances launched in the private subnet is not required.

    1. Thats correct, the source/destination check should be disabled on the NAT instance. Updated the answers options

  3. A user has setup a VPC with CIDR 20.0.0.0/16. The VPC has a private subnet (20.0.1.0/24) and
    a public subnet (20.0.0.0/24). The user’s data centre has CIDR of 20.0.54.0/24 and 20.1.0.0/24.
    If the private subnet wants to communicate with the data centre, what will happen?

    a.It will allow traffic communication on both the CIDRs of the data centre
    b.It will not allow traffic with data centre on CIDR 20.1.0.0/24 but allows traffic communication on 20.0.54.0/24
    c.It will not allow traffic communication on any of the data centre CIDRs
    d.It will allow traffic with data centre on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24 (as the CIDR block would be overlapping)

    Hello Jayandar, Could you please explain how overlapping happened in this case ?

    1. VPC CIDR 20.0.0.0/16 so the Ip range would be from CIDR 20.0.0.0 to 20.0.255.255 which includes the 20.0.54.0/24. So the CIDR is overlapping

  4. Hello Sir,

    >>>A web company is looking to implement an external payment service into their highly available application deployed in a VPC. Their application EC2 instances are behind a public facing ELB. Auto scaling is used to add additional instances as traffic increases. Under normal load the application runs 2 instances in the Auto Scaling group but at peak it can scale 3x in size. The application instances need to communicate with the payment service over the Internet, which requires whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an API. How should they architect their solution?

    Ans: Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the NAT instances

    Can you please explain this scenario? Why whitelisting of public IP addresses required to communicate with payment service? Why can’t the instances just communicate with the service via ELB? How NAT instances come into this picture as there’s no mention of EC2 instances in private subnet?

    Thanks in advance.

    1. As there is a limit of 4 public IP address, auto scaling would break as the new instances won’t be able to call the payment service.
      Also ELB does not have fixed EIP nor would it be used when the call to the payment service is being made. It would go through the IGW directly.
      So the best option is to place the instances in private subnets and route the traffic through HA NAT and whitelist its IP address which are public IPs

  5. Hello Jayendra,
    For Question 4, will you be able to explain why a is an answer and not d?

    1. Hi Prabin, as the instances are autoscaled and can increase 3x which is 6 at its peak and would exceed the allowed 4 IP whitelisting condition. Also the IPs would change if not assigned Elastic IP address which is done in option A.

  6. A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306.. The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group?
    For Inbound allow Source: 20.0.1.0/24 on port 80
    For Outbound allow Destination: 0.0.0.0/0 on port 80
    For Inbound allow Source: 20.0.0.0/24 on port 80 (Refer NATSG)
    For Outbound allow Destination: 0.0.0.0/0 on port 443

    Why is inbound from private subnet (20.0.1.0/24 on port 80) required if we are already allowing outbound on the same HTTP protocol (0.0.0.0/0 on port 80)? I am assuming ‘security group is stateful’ means that if I have an outbound rule, then inbound rule need not be defined; so, in this case outbound on 0.0.0.0/0 range (meaning everything else) should suffice. In other words, if the security group rule did not have ‘For Inbound allow Source: 20.0.1.0/24 on port 80’, and it only had ‘For Outbound allow Destination: 0.0.0.0/0 on port 80’, The traffic would still flow from the private subnet -> NAT -> Internet just fine for patching purposes.

    Please correct me on my understanding.

    Or, are we just picking ‘For Inbound allow Source: 20.0.0.0/24 on port 80 (Refer NATSG)’ as the answer because it is a better choice than ‘For Inbound allow Source: 20.0.1.0/24 on port 80’, but both answers would be correct if we were to pick two choices?

    Reference:

    I am making my argument based on question 10 on the following post, where my assumed logic is applied for ICMP protocol. I don’t whether ICMP is a special case.

    https://jayendrapatil.com/aws-vpc-security-group-vs-nacls/

    Your entire AWS infrastructure lives inside of one Amazon VPC. You have an Infrastructure monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application. Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else” If so how?

    Yes, The security group for the monitoring instance needs to allow outbound ICMP and the application instance’s security group needs to allow Inbound ICMP (is stateful, so just allow outbound ICMP from monitoring and inbound ICMP on monitored instance)

    1. the questions asks what is not required. NAT is for private subnets only. Public subnets are already connected to internet gateway. Hence 20.0.0.0/24 is NOT required.

  7. For question 4, it may just be a poorly worded question, but do I need to assume since it’s Highly available that they are using two separate AZs?

    Otherwise A wouldn’t make sense because using two NAT instances for “HA” would require some scripting and some sort of health check that can programmatically change the route table when the primary one fails.

    1. Thanks Kyle, the questions is mainly targeting the limitation of whitelisting 4 IPs. With Auto Scaling to maintain HA that can change and hence would not work. Using NAT and Elastic IPs it would keep the whitelisting to 2 IPS irrespective of the Auto Scaling behaviour.
      Also, this is referring to NAT Instance and not NAT Gateway.

  8. Hi Jayendra,

    You have posted :

    should have a Security group associated that
    allows Outbound Internet traffic from instances in the private subnet
    disallows Inbound Internet traffic from everywhere.

    But security group can only allow. Disallow option is provided by NACL?

    What is your thought on this one?

    1. disallows here is basically implicit deny. So you do not allow any rules to allow incoming traffic.

  9. A data processing application in aws must pull data from internet service. architect must design a highly available solution to access data without
    placing bandwidth constracnts on application traffic which solution is best

    launch nat gateway add routes for 0.0.0.0/0
    attach vpc endpoint and add routes for 0.0.0.0/0
    attach internet gateway and add routes for 0.0.0.0/0
    deploy nat instance in public subnet and add routes for 0.0.0.0/0

    1. It does not mention the application is in private subnets so even Internet Gateway would work. NAT gateway if the instances in private subnet.

Comments are closed.