What type of gateway do instances in a private subnet need to have internet connectivity?
Internet Gateway Show
An Internet Gateway is a logical connection between an Amazon VPC and the Internet. It is nota physical device. Only one can be associated with each VPC. It does not limit the bandwidth of Internet connectivity. (The only limitation on bandwidth is the size of the Amazon EC2 instance, and it applies to all traffic -- internal to the VPC and out to the Internet.) If a VPC does not have an Internet Gateway, then the resources in the VPC cannot be accessed from the Internet (unless the traffic flows via a corporate network and VPN/Direct Connect). A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway. You can learn more about this in the AWS Training. NAT Instance A NAT Instance is an Amazon EC2 instance configured to forward traffic to the Internet. It can be launched from an existing AMI, or can be configured via User Data like this: #!/bin/sh Instances in a private subnet that want to access the Internet can have their Internet-bound traffic forwarded to the NAT Instance via a Route Table configuration. The NAT Instance will then make the request to the Internet (since it is in a Public Subnet) and the response will be forwarded back to the private instance. Traffic sent to a NAT Instance will typically be sent to an IP address that is not associated with the NAT Instance itself (it will be destined for a server on the Internet). Therefore, it is important to turn off the Source/Destination Check option on the NAT Instance otherwise the traffic will be blocked. NAT Gateway AWS introduced a NAT Gateway Service that can take the place of a NAT Instance. The benefits of using a NAT Gateway service are:
However:
For a more detailed demarcation and a simplified explanation, check this out https://www.youtube.com/watch?v=XjPUyGKRjZs IntroductionNetworking in AWS is complicated. Understanding AWS networking concepts and how they work together is essential to ensure that your services are secure and have internet connectivity. Before looking at the differences between Internet & NAT Gateway, let’s go through AWS networking fundamentals. Table of contents
AWS Virtual Private Cloud (VPC)A VPC is your private network within AWS. A VPC isolates your resources from everyone else’s. Each AWS account comes with a default VPC that is pre-configured for you to start using immediately. A VPC can span multiple availability zones in a region. A VPC only exists in one AWS region. CIDR BlocksWhen creating a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block. E.g., 172.31.0.0/16 is the primary CIDR block for your VPC. It defines 65536 IPv4 addresses in your VPC. SubnetsA subnet is a range of IP addresses in your VPC. The subnet must use a CIDR block that falls within the assigned VPC. You can create multiple subnets within a VPC. A subnet can logically group resources based on your requirements. There are two types of subnets: Public Subnet: Resources in a public subnet can be accessed from the Public Internet. Private Subnet: Resources in a private subnet cannot communicate with the public internet. Route TableRoute Tables contain the rules (routes) determining how network traffic will be directed within your VPC and subnet. Each subnet is linked to one Route Table. What is Network Address Translation?Network Address Translation (NAT) allows you to map multiple local private addresses to a unique public IP address. This single device acts as an intermediary between the local, private network and the public internet. Internet Gateway is a VPC component that allows communication between your VPC and the Internet. An Internet Gateway is a logical connection between an AWS VPC and the Internet. There is no underlying physical resource. Each VPC has only one Internet Gateway. If a VPC doesn’t have an Internet Gateway, then resources cannot be accessed from the Internet. A Public Subnet is a subnet that is associated with a route table that redirects traffic to an Internet Gateway. Therefore, its important to ensure that your route tables are configured correctly. Why is an IGW important?
PricingInternet Gateway is simply a logical router to the internet for a VPC. You pay for all outbound internet traffic, but there is no fee directly associated with the IGW. NAT InstanceA NAT Instance is a self-managed Amazon EC2 instance that is configured to act as the intermediary between your private subnet and the public internet. The NAT instance has to be in the public subnet. Instances in a private subnet that want to access the Internet will forward their internet-bound traffic to the NAT instance using the Route Table configuration. Since such an instance is self-managed, you would be responsible for configuring routing and updating the software amongst other similar tasks. NAT GatewayNAT (or Network Address Translation) Gateway is a managed AWS service that is used so that instances in a private subnet can connect to services outside the VPC. These private resources don’t allow any inbound traffic from the public Internet. NAT Gateway was introduced, so users no longer have to manage their own NAT instance. The benefits of using a NAT Gateway service are:
NAT Gateway allows two connectivity types:
This article will focus on the Public NAT Gateway to keep things simple. A Public NAT gateway is created in a Public Subnet. An Elastic IP address is associated with the NAT Gateway when it is created. If you have multiple Availability Zones (AZs) in your AWS Architecture, you must create a separate NAT Gateway in each AZ. A NAT Gateway relies on your Route Tables to be able to route traffic to the public Internet. It is important to create a route from the NAT Gateway to the Internet Gateway to ensure proper Internet connectivity. How does request routing work with a NAT Gateway?
PricingUnlike the Internet Gateway (IgW), a NAT gateway incurs charges based on the creation and the usage of a NAT gateway in the user’s account. More details about NAT Gateway pricing can be found here. ConclusionTo summarize, the key differences between an Internet Gateway and NAT Gateway are:
How can instances in private subnet access the Internet?Instead, the instances in the private subnet can access the internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the internet for software updates using the NAT gateway, but the internet cannot establish connections to the database servers.
Can we attach Internet gateway to private subnet?Instances in the private subnet can't communicate with the internet over the internet gateway, even if they have public IP addresses. To provide your instances with internet access without assigning them public IP addresses, you can use a NAT device instead.
What does a private subnet need?A private subnet is a subnet that is associated with a route table that doesn't have a route to an internet gateway. Instances in the private subnet are backend servers they don't accept the traffic from the internet.
Does a NAT gateway need an Internet gateway?Internet Gateway is required to provide internet access to the NAT Gateway. However, some customers use their NAT Gateways with Transit Gateway or virtual private gateway to communicate privately with other VPCs or on-premises environments and thus, do not need an internet gateway attached to their VPCs.
|