Tags Archives: NAT

AWS NAT Gateways and NAT Instances

NAT Instances and NAT Gateways – What’s the Difference?

 

Network Address Translation (NAT) is a method for resources located in private subnets to securely access the internet.

 

There are two flavours of NAT available on AWS: NAT Instances & NAT Gateways.

 

But generally speaking, you should choose a NAT gateway rather than a NAT Instance.

 

This page explains both types of NAT device and the pros and cons of each.

 

AWS provides for NAT configuration in 2 ways:

NAT Gateway or NATGW – a service managed by AWS

NAT Instance – an EC2 instance configured with NAT routing capability and managed by the customer.

 

Thus AWS manages the NATGW, whereas for a NAT Instance (old method) – YOU have to manage it – ie updates, patches etc.

 

Note that (important for exam):

 

unlike NAT Instances – a NATGW cannot be used as a bastion host and it does not use security groups!

 

and for NAT *Instances* you must use a script to manage failover between instances, whereas NATGW is highly available within the AZ.

 

 

NAT Instances require a security group, whereas none are required for a NATGW.

 

Some points about public and private subnets

 

Some applications and services may need to allow incoming traffic from the Internet to have access to them. A public subnet can be used for this.

 

Other services or applications may only need internet access, but do not wish to permit any inbound traffic from the Internet. These services can be located on a private subnet.

 

A public subnet is any subnet that has a route to an Internet Gateway or IGW and with that to the public Internet. The allows traffic directed for the Internet to have an outbound path, and for inbound Internet traffic to be routed to the services and applications in the subnet.

 

A private subnet is any subnet that doesn’t have a route to an IGW (that is, any subnet that is not public). Thus they have no means of communicating with the Internet.

 

For this purpose, NAT Gateways and NAT Instances can be deployed. These provide a means for a private subnet to access to Internet.

An Internet Gateway (IGW) is a VPC virtual device or resource that allows communication between the VPC and the Internet. IGWs are horizontally scaled, redundant, and highly available.

 

IGWs are effectively a router located on the edge of a network. Without an IGW, no resource in a VPC can access the internet, not even with a public IP address.

 

There is no charge for IGWs, and it is only possible to allocate one IGW per VPC. Each AWS account’s default VPC comes with an IGW already defined.

 

 

NAT Instances

 

 

These are outdated but still appear in the exam (2022).

NAT instances must be launched in a PUBLIC subnet and will connect public and private subnets.

 

NAT Instances are user maintained and NAT Gateways (NATGW) are managed by AWS.

 

One reason for choosing a NAT instance over a NAT gateway would be for updating software running on instances located within a private subnet.

 

You must disable ec2 setting source /destination check

A NAT Instance must have an Elastic IP (EIP) attached to it

 

You create a security group in the public subnet for the NAT instance with the EIP. This NAT instance then connects to the private subnet EC2 instance and with that beyond.

 

NATs change the source ip of the network packets – they rewrite the packet headers that are sent out to the public internet – so the route tables must be configured to route traffic from private subnet to the NAT instance.

 

so you have internet -> igw in the vpc -> router – connects to the AZ SG EC2 EIP NAT Instance public instance

 

-> and from there to the private subnets beyond in the same vpc

 

Pre-configured Amazon AMIs for NAT instance are available but are no longer supported as deprecated.

They are also not highly available, so you have to create an ASG in multi AZ and also deploy your user data script if/as needed.

 

And you must manage security groups and rules for the instance.

 

This means for inbound:

 

allow http/https traffic coming in from private subnets

 

allow ssh from eg home network via IGW

 

and for outbound:

 

allow https/http traffic to the internet

 

Similar to a NAT Gateway, a NAT Instance has to be located in a public subnet, and a private subnet will need a route to the NAT Instance in order to have internet access.

 

 

NAT Gateway (NATGW)

 

A NAT Gateway is an AWS service that allows a private subnet to access the Internet, but prevents the Internet from initiating a connection directly to the instances.

 

While a NATGW is required for private subnets to have Internet access, it is created in a public subnet in a specified AZ and uses an Elastic IP (EIP). There is an hourly cost for a NATGW unlike for IGWs or Internet Gateways.

 

These are different from NAT instances in that they are an AWS-managed NAT service, with higher bandwidth and high availability. They have no admin overhead for the user.

 

A NATGW CANNOT be used by an EC2 instance in the same subnet – only from other subnets

 

It requires an IGW: private subnet -> NATGW -> IGW

 

 

NATGW has 5gbps bandwidth but with Auto Scaling can reach up to 45gbps

 

NO security groups are needed to run a NATGW.

 

NOTE: a NATGW is resilient only within a single AZ, so you have to create multiple NATGWs for multiple AZs for fault tolerance, each one has to be placed in a public subnet in each AZ and then connects to a private subnet within that AZ!

 

To set up a NATGW, assign a route in the private subnet, in lieu of a route to an IGW or Internet Gateway. Traffic intended for the Internet will flow from the private subnet to the NATGW in the public subnet, and then from there to the IGW or Internet Gateway.

 

 

To summarize:

 

 

For a PUBLIC subnet to have Internet access, inbound and outbound, an account needs to have:

 

an Internet Gateway attached to a VPC

 

a route to the Internet Gateway in the attached route table

 

Instances must have public IP addresses (either auto-assigned or attached Elastic IP addresses)

 

an appropriate security group and NACL allowances

 

 

For a PRIVATE subnet to have Internet access, the following will provide outbound Internet access but not inbound:

 

 

Internet Gateway attached to a VPC

 

NAT Gateway or Instance in a public subnet in the same VPC

 

Route to the NAT Gateway or Instance in the private subnet’s attached route table

 

Appropriate security group and NACL allowances

 

 

 

Continue Reading

AWS Gateways

IGW or Internet Gateway

 

IGW allows in/outbound traffic to internet from private subnet vpc. can be configured for in and outbound separately.

 

 

Bastion Hosts

 

Bastion Host is an EC2 instance in the public subnet which allows users to ssh to the bastion host and then from there to private instances on the private subnet – that is, it is connected to the private subnets as well as the public subnet but controls traffic between the two.

 

 

 

NAT Instances

 

important for exam!
these are outdated but still appear in the exam

 

Network Address Transation, allows Ec2 instances in private subnets to connect to the public internet

 

must be launched in a PUBLIC subnet and will connect public and private subnets.

 

must disable ec2 setting source /destination check

 

must have an Elastic IP attached to it

 

you create a security group in the public subjet for the nat instance with the eip.

 

this nat instance then connects to the private subnet ec2 instance and with that beyond.

 

 

NATs change the source ip of the network packets – they rewrite the packet headers that are sent out to the public internet

 

so the route tables must be configured to route traffic from private subnet to the nat instance.

 

so you have internet -> igw in the vpc -> router – connects to the AZ SG EC2 eip NAT Instance public instance

-> and from there to the private subnets beyond in the same vpc

 

pre configured amazon AMI for nat instance is available but is no longer supported as deprecated.

 

not highly available, you have to create an asg in multi az and user data script as needed

 

you must manage security groups and rules for the instance:

 

 

for inbound:

 

 

allow http/https traffic coming in from private subnets

 

allow ssh from eg home network via igw

 

outbound

 

allow https/http traffic to the internet

 

 

NATGW – NAT Gateway

 

– different to NAT instances

 

they are an AWS managed NAT service, with higher bandwidth and high availability, no admin overhead

 

pay per hour for usage/bandwidth

 

NATGW is created in a public subnet in a specified AZ and uses an EIP elastic ip

 

CANNOT be used by an ec2 instance in same subnet – only from other subnets

 

requires an IGW: private subnet -> NATGW -> IGW

 

5gbps bandwidth with auto scaling can get up to 45gbps

 

NO security groups needed to manage!

 

 

a NATGW is resilient only within a single AZ, so you have to create multiple NATGWs for multiple AZs for fault tolerance, each one has to be placed in a public subnet in each AZ and then connects to private subnet within that AZ!

 

 

aws manages the NATGW, whereas for a NAT Instance (old method) – YOU have to manage it – ie updates, patches etc.

 

 

important for exam:

 

unlike NAT Instances – a NATGW cannot be used as a bastion host and it does not use security groups!

 

and for NAT instances you must use a script to manage failover between instances, whereas NATGW is highly available within the AZ

 

 

Continue Reading

Setting up NAT Networking on Oracle Virtualbox on CentOS

First define a nat network under tools — preferences – network and give it a name, I called it NatNetwork.

 

Then right click on properties, and define the ip of the subnet – a new one just for NatNetwork, I chose 10.0.5.0

 

Next go to each VM and add a network adapter connected to NatNetwork

 

and select the network you created.

 

To enable IP packet forwarding please edit /etc/sysctl.conf with your editor of choice and set:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1

You can then verify your settings with:
/sbin/sysctl -p

 

on each machine

 

sysctl -w net.ipv4.ip_forward=1

 

you also have to put it in the /etc/sysctl.d/sysctl.conf file! otherwise it does not take effect -and do:

 

root@router:/etc/netplan# sysctl –system

 

I did it with:

 

 

[root@clusterserver sysctl.d]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@clusterserver sysctl.d]#

 

[root@clusterserver sysctl.d]# /sbin/sysctl -p
net.ipv4.ip_forward = 1
[root@clusterserver sysctl.d]#
root@router:/etc/netplan# sysctl –system

 

 

NOTE with centos and nmcli you have to first add a new connection:

 

[root@clusterserver network-scripts]# nmcli dev status
DEVICE TYPE STATE CONNECTION
enp0s3 ethernet connected enp0s3
enp0s8 ethernet connected enp0s8
virbr0 bridge connected (externally) virbr0
enp0s10 ethernet disconnected —
lo loopback unmanaged —
virbr0-nic tun unmanaged —

 

[root@clusterserver network-scripts]#
[root@clusterserver network-scripts]#
[root@clusterserver network-scripts]# nmcli con add type ethernet con-name enp0s10 ifname enp0s10 ip4 10.0.5.10
Connection ‘enp0s10’ (392ee518-be1b-4498-885c-cacef2e295d9) successfully added.
[root@clusterserver network-scripts]#

 

Unter CentOS a “connection” is not the same as a network interface, I have used the same name for the connection here, but it can be labeled differently.

 

then it looks like this:

 

[root@clusterserver network-scripts]#
[root@clusterserver network-scripts]# nmcli dev status
DEVICE TYPE STATE CONNECTION
enp0s3 ethernet connected enp0s3
enp0s10 ethernet connected enp0s10
enp0s8 ethernet connected enp0s8
virbr0 bridge connected (externally) virbr0
lo loopback unmanaged —
virbr0-nic tun unmanaged

 

Note that manual changes to the ifcfg file will not be noticed by NetworkManager until the interface is next brought up.

 

So, you have to do a

 

nmcli con down enp0s10 && nmcli con up enp0s10

 

[root@clusterserver network-scripts]# nmcli con down enp0s10 && nmcli con up enp0s10
Connection ‘enp0s10’ successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[root@clusterserver network-scripts]#

 

To configure a static route for an existing Ethernet connection using the command line, enter a command as follows:
~]# nmcli connection modify eth0 +ipv4.routes “192.168.122.0/24 10.10.10.1”

 

This will direct traffic for the 192.168.122.0/24 subnet to the gateway at 10.10.10.1.

 

so, we need to do:

 

[root@clusterserver network-scripts]# nmcli connection modify enp0s10 +ipv4.routes “10.0.2.0/24 10.0.2.10”
[root@clusterserver network-scripts]#

 

Next, IMPORTANT!! do a reload of the specific connection:

 

[root@clusterserver network-scripts]# nmcli con reload enp0s10
[root@clusterserver network-scripts]#

 

otherwise the changes will not be active!

 

OR do interactively:

 

[root@clusterserver network-scripts]# nmcli con edit type ethernet con-name enp0s10

 

===| nmcli interactive connection editor |===

 

Adding a new ‘802-3-ethernet’ connection

 

Type ‘help’ or ‘?’ for available commands.
Type ‘print’ to show all the connection properties.
Type ‘describe [<setting>.<prop>]’ for detailed property description.

 

You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb, sriov, ethtool, match, ipv4, ipv6, tc, proxy
nmcli> set ipv4.routes 10.0.5.0/24 10.0.5.10
nmcli>
nmcli>
nmcli> save persistent
Saving the connection with ‘autoconnect=yes’. That might result in an immediate activation of the connection.
Do you still want to save? (yes/no) [yes] yes
Connection ‘enp0s10’ (cbaf5c33-de4a-43a1-83af-7f51103706bd) successfully saved.
nmcli>

 

Setting up NAT NETWORK on Oracle VB on CentOS

 

first define a nat network under tools — preferences – network and give it a name, I called it NatNetwork

 

and then right click on properties, and define the ip of the subnet – a new one just for the nat network, I chose 10.0.5.0

 

next go to each VM and add a network adapter connected to NAT Network

 

and select the network you created.

 

To enable IP packet forwarding please edit /etc/sysctl.conf with your editor of choice and set:

 

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
You can then verify your settings with:
/sbin/sysctl -p

 

on each machine

 

sysctl -w net.ipv4.ip_forward=1

 

you also have to put it in the /etc/sysctl.d/sysctl.conf file! otherwise it does not take effect -and do:

 

root@router:/etc/netplan# sysctl –system

 

I did it with:

 

 

[root@clusterserver sysctl.d]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

[root@clusterserver sysctl.d]#

 

[root@clusterserver sysctl.d]# /sbin/sysctl -p
net.ipv4.ip_forward = 1

[root@clusterserver sysctl.d]#
root@router:/etc/netplan# sysctl –system

 

 

NOTE with centos and nmcli you have to first add a new connection:

 

[root@clusterserver network-scripts]# nmcli dev status
DEVICE TYPE STATE CONNECTION
enp0s3 ethernet connected enp0s3
enp0s8 ethernet connected enp0s8
virbr0 bridge connected (externally) virbr0
enp0s10 ethernet disconnected —
lo loopback unmanaged —
virbr0-nic tun unmanaged —
[root@clusterserver network-scripts]#
[root@clusterserver network-scripts]#
[root@clusterserver network-scripts]# nmcli con add type ethernet con-name enp0s10 ifname enp0s10 ip4 10.0.5.10
Connection ‘enp0s10’ (392ee518-be1b-4498-885c-cacef2e295d9) successfully added.
[root@clusterserver network-scripts]#

 

Unter CentOS a “connection” is not the same as a network interface, I have used the same name for the connection here, but it can be labeled differently.

 

then it looks like this:

 

[root@clusterserver network-scripts]#
[root@clusterserver network-scripts]# nmcli dev status
DEVICE TYPE STATE CONNECTION
enp0s3 ethernet connected enp0s3
enp0s10 ethernet connected enp0s10
enp0s8 ethernet connected enp0s8
virbr0 bridge connected (externally) virbr0
lo loopback unmanaged —
virbr0-nic tun unmanaged

 

Note that manual changes to the ifcfg file will not be noticed by NetworkManager until the interface is next brought up.

 

So, you have to do a

 

nmcli con down enp0s10 && nmcli con up enp0s10

 

[root@clusterserver network-scripts]# nmcli con down enp0s10 && nmcli con up enp0s10
Connection ‘enp0s10’ successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[root@clusterserver network-scripts]#

 

 

To configure a static route for an existing Ethernet connection using the command line, enter a command as follows:
~]# nmcli connection modify eth0 +ipv4.routes “192.168.122.0/24 10.10.10.1”
This will direct traffic for the 192.168.122.0/24 subnet to the gateway at 10.10.10.1.

 

so, we need to do:

 

[root@clusterserver network-scripts]# nmcli connection modify enp0s10 +ipv4.routes “10.0.2.0/24 10.0.2.10”
[root@clusterserver network-scripts]#

 

Next, IMPORTANT!! do a reload of the specific connection:

 

[root@clusterserver network-scripts]# nmcli con reload enp0s10
[root@clusterserver network-scripts]#

 

otherwise the changes will not be active!

 

OR do interactively:

 

[root@clusterserver network-scripts]# nmcli con edit type ethernet con-name enp0s10

 

===| nmcli interactive connection editor |===

 

Adding a new ‘802-3-ethernet’ connection

Type ‘help’ or ‘?’ for available commands.
Type ‘print’ to show all the connection properties.
Type ‘describe [<setting>.<prop>]’ for detailed property description.

 

You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb, sriov, ethtool, match, ipv4, ipv6, tc, proxy
nmcli> set ipv4.routes 10.0.5.0/24 10.0.5.10
nmcli>
nmcli>
nmcli> save persistent
Saving the connection with ‘autoconnect=yes’. That might result in an immediate activation of the connection.
Do you still want to save? (yes/no) [yes] yes
Connection ‘enp0s10’ (cbaf5c33-de4a-43a1-83af-7f51103706bd) successfully saved.
nmcli>

 

 

 

 

Continue Reading