This task started out sounding simple enough but it took a good bit to wrap my head around. Not to mention understanding Amazon’s terminology as well as what each thing does. Also, based on our environment we are required to use a specific subnet. This is because we need to have it communicate back to our data center. That means that we could not use the Default VPC setup in the 172.31.0.0/16 range. Also, quick note is that you cannot customize the default VPC setup…
Here is how I got Internet access to the private instances:
Create a non-default vpc with our own subnet.
Create 2 subnets.
One will be for internet access/public facing and the other is the private subnet where my instances are at.
Create 2 route tables
One is for the public internet facing subnet and the other routing table is for our private subnet
Create an Internet Gateway
Got an Elastic IP address
Create a NAT Gateway and attach it to the Elastic IP
If you just want the meat and potatoes, then read this…
In an Amazon VPC you have to have 2 subnets if you want some instances to stay private and yet get internet access.
So the flow works like this. All Internet traffic in the private subnet will get routed to the NAT Gateway. You would need a rule that looks like this.
The NAT Gateway then looks for the Internet Gateway automatically. There is nothing to configure with this routing specifically somehow it just know where it is at.
The Internet Gateway resides on the public subnet. So you have to have 2 routing tables to direct the traffic.
The public routing table should be the main. Then make sure you have a route point all traffic to the Internet Gateway.
Once this configuration is in place your private instances will have internet access. All without being accessible on the Internet. Make sure to configure your network ACL’s and security groups as these are set to deny by default.
Now that the fundamentals are in place, let’s dig into the configuration side. We will go over this as if you were going to do this step by step.