Score:0

Is This the Correct Way to Setup AWS Private Subnet -> NAT -> Internet

do flag

We want our internal private EC2 instances to have access to the internet so they can download software and install security patches. Of course, out of the box, your private subnet servers will not have access to the internet. I followed these AWS instructions and I was hoping that someone could confirm that this is setup correctly.

enter image description here

Overview

  • The new public NAT needed to be installed in a subnet that had a route to the internet gateway. This means that I had to leave us-east-1f to use the default main routing table and install the NAT in the public subnet of 1f.
  • I then created a new routing table for subnets 1a through 1e that sends traffic through the NAT in 1f.
  • Now both the public and private instances in 1a through 1e can access the public internet

Concerns

  • It seems odd that I have to reserve subnet us-east-1f for this NAT and that I cannot place private EC2 instances in 1f if I want them to be able to download security updates.
  • All of my other other subnets now have a dependency on 1f. If 1f goes down, all public external networking traffic will also go down.

Any thoughts or concerns on this setup? Is it correct?

Score:2
cn flag

You can have both a private and public subnets in us-east-1f. That availability zone does not need to be "reserved" for your public subnet. Your private subnet in us-east-1f will go through the NAT in the public subnet in us-east-1f.

Also, you chose to use a single NAT in a single AZ. Yes, this creates a single-point-of-failure.

To spread the risk, create multiple NATs across multiple AZs, and have each AZ route outgoing traffic to the local NAT.

YoungDinosaur avatar
do flag
How do you setup a route in 1f that only affects the private subnet and sends the private subnet traffic to the nat? To me, it looks like you can only define a single routing table to a subnet, and it affects both the private and public parts of the subnet.
cn flag
Each subnet is only private or public. It is not both. Each subnet can have it's own routing table. So the public subnet routes outbound traffic to the Internet Gateway, and the private subnet routes outbound traffic to the NAT.
cn flag
Please see this for reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
YoungDinosaur avatar
do flag
Thank you, this helped. My confusion was around the fact that there is no public or private setting when you create a subnet. And the only setting that really affects that is the "Auto-assign public IPv4 address" setting when you click edit on the subnet. And even that doesn't really force a public or private subnet. It seems like you just have to treat the subnet as public or private based on having a NAT route or an Internet Gateway route. I had to delete my six subnets and start over with 12 subnets. Two for each AZ zone with a NAT in each public subnet.
Score:1
US flag

If you want to build a VPC using all best practices while covering multiple AZs with public and private subnets I strongly suggest you use this CloudFormation template.

https://docs.aws.amazon.com/codebuild/latest/userguide/cloudformation-vpc-template.html

Really simple process to follow and it does pretty much everything for you while only takes five minutes to complete.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.