Network Address Translation (NAT) Instances, NAT Gateways, Egress only Internet Gateways and Bastion Hosts

  1. How to enable private subnet based EC2 instances access internet for downloading software and patches
    1. NAT Instances:
      1. Launch NAT instance from NAT AMI in public subnet
      2. You need to disable source/destination check
      3. Add a new route in the private subnet’s route table to send all traffic with destination 0.0.0.0/0 to the NAT instance (target)
      4. Unlike internet gateway, NAT instance provides is one way access (Request and response) to internet meaning one can’t initiate connection over internet into private subnet
    2. NAT Gateway
      1. ipv4, highly available and redundant (unlike NAT inst.)
      2. NO need to disable source/destination check
      3. needs an elastic ip
      4. Add a new route in the private subnet’s route table to send all traffic with destination 0.0.0.0/0 to the NAT gateway (target)
  2. How to access your EC2 instances residing in a private subnet using SSH/RDP over internet
    1. Egress only internetgateway
      1. ipv6
    2. Bastion hosts
      1. Bastion hosts allow you to access EC2’s in private subnet thru SSH/RDP
      2. Bastion hosts live in public subnets
      3. ALLOW bastion host’s security group to SSH/RDP to your private subnet by modifying private subnet’s security group
      4. Use Putty agent forwarding to ssh to bastian and further SSH to private subnet EC2
<<< Security Groups (VPC SG)Simple Storage Service (S3) >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .