Sunday, August 30, 2015

amazon ec2 - Internet access from private VPC subnet?



My brain is a little bit fried trying to figure this out but I can't seem to get private subnets to connect to the internet to grab updates for example. Basically all I want is web access for these servers. I have tried solutions found in other posts but could easily be missing something since I have been looking at this for quite awhile.



So far I have done the following set up:




  • Disable source/destination checking on my NAT instance


  • Create a route table for public subnet and set its source to IGW (verified this works)

  • Create a route table for private subnet and set its source to the NAT instance

  • Create security group for NAT instance with inbound and outbound rules for 80/443 and ssh

  • Create security group for private instance with inbound and outbound 80/443 and ssh



I am able to jump on the NAT instance via SSH and then pivot onto the private server, so I know that much is working. I have verified my rules by pinging internal addresses but when I leave the local network that is when I start having problems.



Where do I need to look or what do I need to troubleshoot to help get this narrowed down? Is there some configuration that needs to be done on the NAT instance that I have overlooked?




EDIT: Configuration update




  • VPC: 172.16.0.0./16

  • Private subnet: 172.16.1.0/24

  • Public subnet: 172.16.0.0/24



Private subnet routing table:




Points to NAT instance in public subnet. Unable to access internet, attached EIP to public internet facing interface.



private vpc



Public subnet routing table:



Points the public subnet at the IGW, I have verified internet access.



enter image description here




Thoughts:



I'm starting to think there is something that needs to be set up or created on the NAT instance that lives in the public subnet to forward traffic from private instances, but I'm not exactly sure what needs to added. I found this post that explains adding a masquerade rule in iptables, is that something that apply to my situation?


Answer



yes, you must have iptables masquerading set up on the nat host.



iptables -A POSTROUTING -t nat -s (private-subnet/cidr) -j MASQUERADE



we have the same set up, you've done everything else correctly (disable source check, point private subnet to the interface of the nat instance, point public subnet to the igw).


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...