Lab Information
The Nautilus DevOps team is tasked with enabling internet access for an EC2 instance running in a private subnet. This instance should be able to upload a test file to a public S3 bucket once it can access the internet. To minimize costs, the team has decided to use a NAT Instance instead of a NAT Gateway.
The following components already exist in the environment:
1) A VPC named nautilus-priv-vpc and a private subnet named nautilus-priv-subnet have been created.
2) An EC2 instance named nautilus-priv-ec2 is already running in the private subnet.
3) The EC2 instance is configured with a cron job that uploads a test file to the S3 bucket nautilus-nat-28334 every minute. Upload will only succeed once internet access is established.
Your task is to:
Create a new public subnet named nautilus-pub-subnet in the existing VPC.
Launch a NAT Instance in the public subnet using an Amazon Linux 2 AMI and name it nautilus-nat-instance. Configure this instance to act as a NAT instance. Make sure to use a custom security group for this instance.
After the configuration, verify that the test file nautilus-test.txt appears in the S3 bucket nautilus-nat-28334. This indicates successful internet access from the private EC2 instance via the NAT Instance.
Lab Solutions
πΉ STEP 1: Create a Public Subnet
Go to VPC β Subnets β Create subnet
Configure:
VPC: nautilus-priv-vpc
Subnet name: nautilus-pub-subnet
AZ: same region (any AZ)
CIDR: e.g. 10.1.2.0/24 (must NOT overlap)
Create subnet
Enable public IP auto-assign
Select nautilus-pub-subnet
Actions β Edit subnet settings
Enable:
β Auto-assign public IPv4 address
Save
πΉ STEP 2: Ensure Internet Gateway Exists
Go to VPC β Internet Gateways
If none exists:
Create one (e.g. nautilus-igw)
Attach it to nautilus-priv-vpc
πΉ STEP 3: Create Route Table for Public Subnet
Go to VPC β Route Tables β Create route table
Configure:
Name: nautilus-pub-rt
VPC: nautilus-priv-vpc
Create
Add route to Internet
Edit routes β Add:
Destination: 0.0.0.0/0
Target: Internet Gateway
Associate with public subnet
Subnet associations β Edit
Select nautilus-pub-subnet
Save
πΉ STEP 4: Create Security Group for NAT Instance
EC2 β Security Groups β Create
Configure:
Name: nautilus-nat-sg
VPC: nautilus-priv-vpc
Inbound rules
Type Source
All traffic Private subnet CIDR (e.g. 10.1.0.0/16)
SSH to All traffic
Create SG.
πΉ STEP 5: Launch NAT Instance
EC2 β Launch instance
Configure:
Basic
Name: nautilus-nat-instance
AMI: Amazon Linux 2
Instance type: t2.micro
Network
VPC: nautilus-priv-vpc
Subnet: nautilus-pub-subnet
Auto-assign public IP: Enabled
Security group: nautilus-nat-sg
Launch instance
πΉ STEP 6: Disable Source/Destination Check (CRITICAL)
Select nautilus-nat-instance
Actions β Networking β Change source/destination check
Disable it
Save
β οΈ If you skip this step, NAT will not work
πΉ STEP 7: Enable IP Forwarding on NAT Instance
Connect to the NAT instance (via SSH or EC2 Instance Connect):
sudo sysctl -w net.ipv4.ip_forward=1
#Make it persistent:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo yum install -y iptables-services
sudo service iptables save
sudo systemctl enable iptables
sudo systemctl start iptables
sudo systemctl status iptables
πΉ STEP 8: Update Private Subnet Route Table
Go to VPC β Route Tables
Select the route table associated with nautilus-priv-subnet
Edit routes β Add:
Destination Target
0.0.0.0/0 nautilus-nat-instance (instance ID)
Save.
π§ͺ VERIFICATION (FINAL & IMPORTANT)
Wait 1β2 minutes (cron runs every minute)
Then check S3:
aws s3 ls s3://nautilus-nat-28334
Top comments (0)