{"id":12612,"date":"2022-06-06T05:54:54","date_gmt":"2022-06-06T05:54:54","guid":{"rendered":"https:\/\/blog.cloudthat.com\/?p=12612"},"modified":"2024-06-25T10:59:22","modified_gmt":"2024-06-25T10:59:22","slug":"nat-server-amazon-ec2","status":"publish","type":"blog","link":"https:\/\/www.cloudthat.com\/resources\/blog\/nat-server-on-amazon-ec2","title":{"rendered":"NAT Server on Amazon EC2"},"content":{"rendered":"\n\n\n\n\n\n\n\n\n\n
\n

TABLE OF CONTENT<\/strong><\/span><\/h2>\n<\/td>\n<\/tr>\n

1. Overview<\/a><\/td>\n<\/tr>\n
2. Architectural Diagram <\/a><\/td>\n<\/tr>\n
3. Steps to Implement NAT Server<\/a><\/td>\n<\/tr>\n
4. Why not simply place everything on a public subnet?<\/a><\/td>\n<\/tr>\n
5. Conclusion<\/a><\/td>\n<\/tr>\n
6. About CloudThat <\/a><\/td>\n<\/tr>\n
7. FAQs<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Overview<\/h2>\n

In modern multi-tier architectures, some applications are required to access the internet to serve users. Still, the backend services such as databases are not required to have internet access, and inbound traffic is not allowed. These backend services are placed in the private subnet, and the internet-facing applications are identified in the public subnet.<\/p>\n

NAT server provides the functionality of NAT Gateway using the instance by our own AMI that is running on EC2 in the public subnet so that access to the private subnet is enabled from the internet by restricting the required set of access. NAT instances are more cost-effective than dedicated NAT Gateway.<\/p>\n

Today we will see how to provide internet access to the database server that is present in the private subnet using the NAT instance.<\/p>\n

Architecture Diagram<\/h2>\n

\"NAT<\/a><\/p>\n

Steps to Implement NAT Server<\/h2>\n

Step-1 \u2013 <\/strong>Create a custom VPC<\/p>\n

\"NAT<\/a><\/p>\n

Step-2 \u2013 <\/strong>Create Public and Private Subnets<\/p>\n

\"NAT<\/a><\/p>\n

Step-3 \u2013 <\/strong>Create Public and Private Route Tables<\/p>\n

\"NAT<\/a><\/p>\n

Step-4 \u2013 <\/strong>Create an Internet Gateway and attach it to the Demo-VPC<\/p>\n

\"NAT<\/a><\/p>\n

Step-5 \u2013 <\/strong>On the private route, there is no Internet access available<\/p>\n

\"NAT<\/a><\/p>\n

Step-6 \u2013 <\/strong>Create a DB instance or any private instance that you don\u2019t want any direct internet access<\/p>\n

\"NAT<\/a><\/p>\n

Step-7 \u2013 <\/strong>Create a NAT server from Community AMI<\/strong> in AWS<\/p>\n

\"NAT<\/a><\/p>\n

Step-8 \u2013 <\/strong>Make sure HTTP and HTTPS ports must be open to the Internet<\/p>\n

\"NAT<\/a><\/p>\n

Step-9 \u2013 <\/strong>Make changes in source and destination check<\/p>\n

\"NAT<\/a><\/p>\n

Step-10 \u2013 <\/strong>Click on the checkmark to stop the source and destination check<\/p>\n

\"NAT<\/a><\/p>\n

Step-11 \u2013 <\/strong>Now add the instance id in the private route table to access the internet from the NAT server<\/p>\n

\"NAT<\/a><\/p>\n

Step-12 \u2013 <\/strong>Now SSH into the private instance using Bastion Host and try to ping google.com<\/p>\n

\"NAT<\/a><\/p>\n

Why not simply place everything on a public subnet?<\/h2>\n

We hear frequently and have considered this, particularly in non-critical contexts. It would fix the problem, and we would no longer require a NAT instance or NAT Gateway because each instance or service would have its own public IP address. We have decided against it for two key reasons.<\/p>\n