VPC NAT Gateway Tutorial

Introduction

A Network Address Translation (NAT) Gateway in a Virtual Private Cloud (VPC) is a service provided by cloud providers like Amazon Web Services (AWS) that allows instances in a private subnet to initiate outbound connections to the internet while keeping their private IP addresses hidden. It serves as an intermediary between your private instances and the public internet.

Scenario

Imagine you have a Virtual Private Cloud (VPC) in a cloud provider like Amazon Web Services (AWS), and within this VPC, you have several private instances that need to access the internet for software updates, downloading packages, or other web-based services. However, you want to maintain a high level of security and control over these private instances and prevent direct access to the internet. How can you achieve this while allowing your private instances to communicate with the internet?

Solution

In this scenario, you can use a NAT Gateway inside Amazon VPC to enable your private instances to access the internet securely without exposing their private IP addresses.

Prerequisite

1. An AWS account
2. Basic knowledge of AWS services
3. A provisioned Windows EC2 instance
4. Good insights for Amazon VPC, NAT Gateway, and Elastic IPs

Step-by-step Guide:

Step 1: Create a VPC

1. If you don't already have a VPC, you can create one by clicking "Your VPCs" in the VPC Dashboard.
2. Click the "Create VPC" button.
3. Fill in the VPC details, including the name, IPv4 CIDR block, and any other settings you require.
4. Click "Create VPC."

Step 2: Create subnets

1. In the VPC Dashboard, select "Subnets" from the left-hand navigation pane.
2. Click the "Create Subnet" button.
3. Choose the VPC you created in the previous step.
4. Configure the subnet details, including the name, availability zone, and IPv4 CIDR block.
5. Repeat this process to create both a public subnet and a private subnet.

Step 3: Create an Internet Gateway

1. In the VPC Dashboard, select "Internet Gateways" from the left-hand navigation pane.
2. Click the "Create Internet Gateway" button.

Step 4: Attach the Internet Gateway to Your VPC

1. Select the newly created Internet gateway.
2. Click the "Actions" button and choose "Attach to VPC."
3. Choose the VPC to which you want to attach the Internet gateway.
4. Click "Attach."

Step 5: Create a Custom Route Table

1. In the VPC Dashboard, select "Route Tables" from the left-hand navigation pane.
2. Click the "Create Route Table" button.
3. Provide a name “PublicSubnet” and “PrivateSubnet” and choose the VPC you want to associate with the new route table.
4. Click "Create."

Step 6: Edit the Route Table to Route Traffic to the Internet

1. Select the newly created custom route table.
2. In the "Routes" tab, click the "Edit routes" button.
3. Click "Add route."
4. In the "Destination" field, enter 0.0.0.0/0 to represent all internet-bound traffic.
5. In the "Target" field, select the Internet Gateway that you attached to the VPC in the previous steps.
6. Click "Save routes."

Step 7: Associate Subnets with the Custom Route Table

1. In the "Subnet associations" tab of the custom route table, click "Edit subnet associations."
2. Choose the subnets that you want to associate with this custom route table. Typically, these would be the public subnets and private subnets, which are associated with the public subnet and the private subnet, respectively.
3. Click "Save associations."

Step 8: Launching a Windows EC2 Instance

1. Click the "Launch Instance" button.
2. Select a "Windows Server" AMI based on your requirements.
3. For instance, type, set as "t2.micro" is a free tier eligible.

Step 9: Choose an existing key pair or create a new key team.

1. If you already have an EC2 "key pair", select it.
2. If not, create a "new key pair". You'll use this key pair to securely connect to your Windows EC2 instance.
3. "Save the file" on your local device. Make sure it is safe.

Step 10: Configure the Security Group and Virtual Private Cloud (VPC):

1. Automatically "assigned public IP" should be "disabled" for Private Subnet and vice-versa.
2. Create a "new security group" or select an "existing one". Define rules to allow RDP (port 3389), and HTTPS (port 443) traffic for a web server.
3. Click "Launch" to proceed.

Step 11: Connect your EC2 instance

1. In the RDP Client Tab, click on "Download Remote Desktop File" on your local machine.

2. Click on "Get Password" and "Upload the Private Key".

3. Click on "Decrypt Password", then copy your decrypted password.

4. Open the RDP file and "paste" your copied decrypted password.

5. You are successfully connected to your Windows EC2 instance.

Step 12: Create the NAT Gateway

1. In the "Create NAT Gateway" wizard, select the public subnet where you want to create the NAT Gateway.
2. Choose an Elastic IP address to associate with the NAT Gateway. If you don't have one, you can allocate a new Elastic IP.
3. Click the "Create NAT Gateway" button.

Step 13: Add a Route to the NAT Gateway

1. In the "Routes" tab, click the "Edit routes" button.
2. Add a new route with the destination as 0.0.0.0/0 (all internet-bound traffic) and select the NAT Gateway as the target.
3. Click "Save routes."

Step 14: Connect to Your Windows EC2 Instance using RDP

1. Open the Remote Desktop client on your Windows EC2 Server(you can find it in Windows under "Remote Desktop Connection").
2. In the "Computer" field, enter the Private IP address of your EC2 instance.
3. Click "Connect."
4. If prompted, enter the username and password for your Windows EC2 instance. The username is typically "Administrator."
5. Click "OK."

Step 15: Testing your connectivity

1. Open the command prompt. Run the command “ping 8.8.8.8 -t”.
2. The reply from the ping command is successful.

Congratulations! You've successfully established connectivity between the private subnets by attaching the NAT Gateway to the public subnet.

Step 16: Delete the NAT Gateway

1. With the NAT Gateway selected, click the "Actions" button at the top of the screen.
2. Choose "Delete NAT Gateway" from the drop-down menu.

Step 17: Release the Elastic IP

1. With the selected Elastic IP, click the "Actions" button at the top of the screen.
2. Choose "Release addresses" from the dropdown menu.

Step 18: Delete the VPC

1. With the selected VPC, click the "Actions" button at the top of the screen.
2. Choose "Delete VPC" from the dropdown menu.

Conclusion

In conclusion, the Amazon VPC NAT Gateway practical experience offers a comprehensive understanding of network architecture in the cloud. By successfully configuring and utilizing a NAT Gateway, one gains proficiency in providing secure internet access to private resources within a Virtual Private Cloud (VPC). This hands-on exercise demonstrates the importance of network isolation, security groups, and route tables, ensuring that private instances can access the internet while remaining shielded from external threats. Additionally, it highlights the significance of Elastic IP addresses for stable connectivity and paves the way for creating robust, Secure, and Scalable cloud infrastructures. This practical experience is a valuable skill set for cloud architects and administrators seeking to design and manage secure, high-performance cloud environments in AWS.