In modern multi-tier architectures, some applications are required to access the internet to serve users. Still, the backend services such as databases are not required to have internet access, and inbound traffic is not allowed. These backend services are placed in the private subnet, and the internet-facing applications are identified in the public subnet.
NAT server provides the functionality of NAT Gateway using the instance by our own AMI that is running on EC2 in the public subnet so that access to the private subnet is enabled from the internet by restricting the required set of access. NAT instances are more cost-effective than dedicated NAT Gateway.
Today we will see how to provide internet access to the database server that is present in the private subnet using the NAT instance.
Steps to Implement NAT Server
Step-1 – Create a custom VPC
Step-2 – Create Public and Private Subnets
Step-3 – Create Public and Private Route Tables
Step-4 – Create an Internet Gateway and attach it to the Demo-VPC
Step-5 – On the private route, there is no Internet access available
Step-6 – Create a DB instance or any private instance that you don’t want any direct internet access
Step-7 – Create a NAT server from Community AMI in AWS
Step-8 – Make sure HTTP and HTTPS ports must be open to the Internet
Step-9 – Make changes in source and destination check
Step-10 – Click on the checkmark to stop the source and destination check
Step-11 – Now add the instance id in the private route table to access the internet from the NAT server
Step-12 – Now SSH into the private instance using Bastion Host and try to ping google.com
Why not simply place everything on a public subnet?
We hear frequently and have considered this, particularly in non-critical contexts. It would fix the problem, and we would no longer require a NAT instance or NAT Gateway because each instance or service would have its own public IP address. We have decided against it for two key reasons.
Reason1: Security should be tiered. We don’t want a single setup error to result in the resources becoming publicly exposed overnight. The ideal Security Group and NACL would effectively do the same thing, but it’s important to keep those resources separated from the internet regardless of what’s put up in the SG or NACL.
Furthermore, because our acceptance settings frequently include almost identical data as production environments, we are hesitant to accept a lesser degree of security.
Reason 2:We use Terraform to create our environments as code. Rather than migrating all resources to public subnets, it is significantly quicker and more consistent to just change out a NAT Gateway for a NAT instance.
We have seen the utility of NAT Gateways, it offers outbound traffic for private subnet machines/instances, which is required for downloading packages, installing patches, and software updates, among other things.
Another advantage of employing NAT Gateway is that it is very simple to add or remove it, i.e., by removing/adding a route to NAT Gateway from the routing table that is depending on our needs.
CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
Drop a query if you have any questions regarding the NAT server, NAT instance, or Amazon services, and I will get back to you quickly. To get started, go through ourExpert Advisorypage and Managed Services Package that isCloudThat’s offerings.
Q1. Is it possible to move the NAT instance to the NAT Gateway?
Ans: You may construct a NAT gateway in the same subnet as your NAT instance and then replace the current route in your route table that refers to the NAT instance with the NAT gateway route.
Q2. What is the difference between a NAT gateway and a NAT instance?
Ans: When a connection times out, a NAT gateway sends an RST packet to any resources trying to maintain the connection behind the NAT gateway (it does not send a FIN packet). When a connection times out, a NAT instance closes the connection by sending a FIN packet to resources behind the NAT instance.
Q3. Which is more cost-effective: a NAT gateway or a NAT instance?
Ans: Since AWS charges cross-AZ traffic within your VPC, you will generally want one for each availability zone. However, the cost of the NAT Instances will be cheaper than the cost of a NAT Gateway if you are pushing enough traffic.