- Más nuevo
- Más votos
- Más comentarios
Hi,
This is explained in detail in this Knowledge center article
NAT gateways do not accept traffic initiated from the internet. I would like to inform you that even though the VPC flow logs show traffic from external service as accepted at the NAT Gateway ENI but the traffic actually gets dropped. VPC flow logs show inbound traffic as accepted if the security groups and NACLs permits the traffic. However, the actual traffic isn't accepted by the NAT gateway and gets dropped.
This is also called out in the documentation
A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.
Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet.
Hope this helps
Contenido relevante
- OFICIAL DE AWSActualizada hace 7 meses
- OFICIAL DE AWSActualizada hace 7 meses
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 7 meses
Thanks for the answer. Is there a reason that we don't allow SG to be assigned to NAT Gateway ? Because it makes VPC Flow monitoring a bit confusing seeing these entries as ACCEPT in flow logs. Or maybe it is better to mark them as DROPPED, as in fact it is really dropped at NAT Gateway level.