Here are the steps - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
I would suggest you to consider using NAT Gateway instead. https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/ https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html
Few check points to be noted when working with NAT instance:
-> NAT instance needs to be in the public subnet.
-> At least allow port 80/443 on the security group of the NAT instance.
-> Associate outbound route of private subnet to NAT instance in route table.
If the SG and Iptabels , routing are correct then I would suggest to check this part "Disable source/destination checks" https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
Here are the steps to deploy a basic HTTPS application:
- Network Definition
- Set a new VPC CIDR 10.0.0.0/16
- Create at least 2 subnets per layer (Public & Private) CIDR Example 10.0.1.0/24
- Create 2 route tables (One for the public subnets and One for the private Ones:
- Create 1 Internet Gateway
- Create 1 NatGateway (You also will need a Elastic IP)
- Associate the Internet Gateway to the Public routing table | This will make public the subnets that you associate
- Associate the Nat Gateway to the Private routing table | This will make private the subnets that you associate
- Create a EC2 instance in the public subnet. This will be used as bastion to jump to the EC2 in the private subnet.
- The security group must contain the rule that allows your local IP and the protocol should be SSH 22 if it's linux.
- Create a EC2 instance in the private subnet. In this instance Deploy your application. if you are gona deploy your app using HTTPS you will need to install a certificate
- The security group should allow your bastion's security group with the por 22 SSH.
- Deploy an Amazon Application Load Balancer with a 443 HTTPS listener configured.
- The security group should allow traffic from 0.0.0.0/0 to the port 443 HTTPS.
- Deploy a TargetGroup with a 443 HTTPS listener configured.
- Register your private EC2 instance.
- You must see that the Health Check of your ALB it's all green, that means that it's ok.
- The ALB has a DNS, so you can copy and paste it in your web broser.
- That's IT!
If you are gonna use HTTP use the correct ports in the ALB and Target Group configuration.
For a productive environment i will advice to use, Amazon CloudFront and Amazon WAF for a better performance and Security.
Also, check your Apache or Nginx configuration, just to see if your 443 port is enabled. IF yes.
- Double Check your Security Groups configuration.
- Double Check your VPC's NACL configuration
- Double Check your Routing tables configuration.
Hope i helped you. Best regards
Communication between two private ec2 instancesasked a month ago
How can Ec2 Instance in private subnet access internet via vpc endpoint?Accepted Answerasked a month ago
Configured VPC NAT instances stopped working yesterday (03.03.2022, eu-central-1)Accepted Answerasked 5 months ago
Placing a Bastion in a Private Isolated Subnetasked 6 months ago
How Instances in Private subnet can connect to Internet with NAT InstanceAccepted Answerasked 10 days ago
VPC - Public/Private Subnets - Unable to access from internetasked 3 years ago
EC2 instance in private subnet shows IPv4 address of NAT instanceasked 3 years ago
Connect Lightsail instance to AWS instance in a private subnetasked 3 months ago
Unable to connect to EC2 instance in private Subnetasked a year ago
Public ALB - NAT Gatewayasked 3 years ago