Network Address Translation (NAT) Instances, NAT Gateways, Egress only Internet Gateways and Bastion Hosts

  1. How to enable private subnet based EC2 instances access internet for downloading software and patches
    1. NAT Instances:
      1. Launch NAT instance from NAT AMI in public subnet
      2. You need to disable source/destination check
      3. Add a new route in the private subnet’s route table to send all traffic with destination to the NAT instance (target)
      4. Unlike internet gateway, NAT instance provides is one way access (Request and response) to internet meaning one can’t initiate connection over internet into private subnet
    2. NAT Gateway (IPv4)
      1. ipv4, highly available and redundant (unlike NAT inst.)
      2. NO need to disable source/destination check
      3. needs an elastic ip
      4. Add a new route in the private subnet’s route table to send all traffic with destination to the NAT gateway (target)
    3. Egress only internet gateway (IPv6)
      1. An egress-only internet gateway is for use with IPv6 traffic only. To enable outbound-only internet communication over IPv4, use a NAT gateway instead.
      2. An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.
  2. How to access your EC2 instances residing in a private subnet
    1. using SSH/RDP over internet using Bastion hosts
      1. Bastion hosts allow you to access EC2’s in private subnet thru SSH/RDP
      2. Bastion hosts live in public subnets
      3. ALLOW bastion host’s security group to SSH/RDP to your private subnet by modifying private subnet’s security group
      4. Use Putty agent forwarding to ssh to Bastian and further SSH to private subnet EC2
    2. Using AWS Systems Manager: SM is a Management Tool that enables you gain operational insights and take action on AWS resources safely and at scale. Using the run command, one of the automation features of Systems Manager, you can simplify management tasks by eliminating the need to use bastion hosts, SSH, or remote PowerShell.
        1. If you have a running EC2, you can find what role it is using and attach a AWS policy called “AmazonEC2RoleforSSM” to the role. Remember you can attach multiple policies to a single role.
        2. If you are launching a new EC2, you can create a new role for it use it after attaching “AmazonEC2RoleforSSM” policy

<<< Network Access Control Lists (NACL)Simple Storage Service (S3) >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .