Why can't I use NAT to connect my EC2 instance in a private subnet to the internet?

3 minute read

I created a NAT gateway to reach the internet from my Amazon Elastic Compute Cloud (Amazon EC2) instance. My instance uses HTTP or HTTPS ports in a private subnet, but it can’t reach the internet.

Resolution

Verify destination reachability and NAT gateway status

Check whether the destination is reachable from another source through a public IP address. Confirm that the NAT gateway is in the Available state. If the NAT gateway is in the Failed state, then see NAT gateway creation fails.

Note: A NAT gateway that is in the Failed state automatically deletes after about one hour.

Confirm your subnet and route table configurations

Verify that you created your NAT gateway in a public subnet. Confirm that the public route table has a default route that directs traffic to an internet gateway. Also, confirm that the private subnet's route table has a default route that directs traffic to the NAT gateway.

Important: Make sure that you don't use the same route table for both the private and the public subnet. When you use the same route table, traffic doesn't route to the internet.

To prevent DNS resolution failures, set the enableDnsSupport attribute to true in your virtual private cloud (VPC). For more information, see View and update DNS attributes for your VPC.

Check firewall and port settings

Verify that firewalls allow traffic over ports 80 for HTTP traffic and port 443 for HTTPS traffic on the source and destination host. To check connectivity, run the following command:

telnet PUBLIC_IP TCP_PORT

Review security group settings

Make sure that the security group attached to the instance's elastic network interface allows outbound traffic to ports 80 and 443. For more information, see Amazon EC2 security groups for your EC2 instances.

Check the network access control list (ACL) associated with the NAT gateway subnet. To give your EC2 instances access to an HTTPS website, the network ACL associated with the NAT gateway subnet must have the following rules:

Inbound rules


Source	Protocol	Port range	Allow/Deny
VPC CIDR	TCP	443	ALLOW
PUBLIC_IP	TCP	1024-65535	ALLOW

Outbound rules


Destination	Protocol	Port range	Allow/Deny
PUBLIC_IP	TCP	443	ALLOW
VPC CIDR	TCP	1024-65535	ALLOW

For more information on how to configure network ACLs, see Control subnet traffic with network access control lists.

Related information

NAT gateways

Configure route tables

Topics: Compute
Tags: Linux Amazon EC2 Windows
Language: English

AWS OFFICIALUpdated 8 months ago

No comments

Relevant content

Instances within the private subnet are unable to access the internet using NAT gateway.
Accepted Answer
Bhanuprakash
asked a year ago
EC2 Instances in eu-south-2 Subnet Cannot Access Internet Despite Correct NAT and Routing Setup.
danism
asked 10 months ago
Slow internet connection when using NAT Gateway
User-0170500
asked a year ago
EC2 instance in private subnet shows IPv4 address of NAT instance
witchkinkofangmar
asked 6 years ago
Unable to ping private instance in subnet.
Piyush
asked 4 months ago
Why can't I use a NAT gateway to access the internet from my Amazon EC2 instances?
AWS OFFICIALUpdated 7 months ago
How do I resolve intermittent connection issues when using a NAT instance?
AWS OFFICIALUpdated a year ago
How do I set up a public NAT gateway to access the internet from a private subnet in Amazon VPC?
AWS OFFICIALUpdated 7 months ago
Why can't my Amazon EC2 instance access the internet through an internet gateway?
AWS OFFICIALUpdated 7 months ago
How can we map entire AWS VPC CIDR to a single IP address using Private NAT Gateway via AWS Site to Site VPN connection.
EXPERT
Narinder Singh Kharbanda
published 3 years ago