Tags Archives: igw

AWS Gateways

IGW or Internet Gateway

 

IGW allows in/outbound traffic to internet from private subnet vpc. can be configured for in and outbound separately.

 

 

Bastion Hosts

 

Bastion Host is an EC2 instance in the public subnet which allows users to ssh to the bastion host and then from there to private instances on the private subnet – that is, it is connected to the private subnets as well as the public subnet but controls traffic between the two.

 

 

 

NAT Instances

 

important for exam!
these are outdated but still appear in the exam

 

Network Address Transation, allows Ec2 instances in private subnets to connect to the public internet

 

must be launched in a PUBLIC subnet and will connect public and private subnets.

 

must disable ec2 setting source /destination check

 

must have an Elastic IP attached to it

 

you create a security group in the public subjet for the nat instance with the eip.

 

this nat instance then connects to the private subnet ec2 instance and with that beyond.

 

 

NATs change the source ip of the network packets – they rewrite the packet headers that are sent out to the public internet

 

so the route tables must be configured to route traffic from private subnet to the nat instance.

 

so you have internet -> igw in the vpc -> router – connects to the AZ SG EC2 eip NAT Instance public instance

-> and from there to the private subnets beyond in the same vpc

 

pre configured amazon AMI for nat instance is available but is no longer supported as deprecated.

 

not highly available, you have to create an asg in multi az and user data script as needed

 

you must manage security groups and rules for the instance:

 

 

for inbound:

 

 

allow http/https traffic coming in from private subnets

 

allow ssh from eg home network via igw

 

outbound

 

allow https/http traffic to the internet

 

 

NATGW – NAT Gateway

 

– different to NAT instances

 

they are an AWS managed NAT service, with higher bandwidth and high availability, no admin overhead

 

pay per hour for usage/bandwidth

 

NATGW is created in a public subnet in a specified AZ and uses an EIP elastic ip

 

CANNOT be used by an ec2 instance in same subnet – only from other subnets

 

requires an IGW: private subnet -> NATGW -> IGW

 

5gbps bandwidth with auto scaling can get up to 45gbps

 

NO security groups needed to manage!

 

 

a NATGW is resilient only within a single AZ, so you have to create multiple NATGWs for multiple AZs for fault tolerance, each one has to be placed in a public subnet in each AZ and then connects to private subnet within that AZ!

 

 

aws manages the NATGW, whereas for a NAT Instance (old method) – YOU have to manage it – ie updates, patches etc.

 

 

important for exam:

 

unlike NAT Instances – a NATGW cannot be used as a bastion host and it does not use security groups!

 

and for NAT instances you must use a script to manage failover between instances, whereas NATGW is highly available within the AZ

 

 

Continue Reading