How Instances in Private subnet can connect to Internet with NAT Instance

0

Hi All,

I planned to deploy a website in instance in private subnet which will be connected to Internet through NAT instance. Once I try to install httpd package in private instance, it throws an error https: 443 is not opened- timed out. Both instances are Amazon Linux.

asked 2 years ago2049 views
3 Answers
2

Hello,

Few check points to be noted when working with NAT instance:

-> NAT instance needs to be in the public subnet.

-> At least allow port 80/443 on the security group of the NAT instance.

-> Associate outbound route of private subnet to NAT instance in route table.

If the SG and Iptabels , routing are correct then I would suggest to check this part "Disable source/destination checks" https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

profile pictureAWS
answered 2 years ago
1
  • Thanks for your comment. Yes I would think about NAT gateway, but it's totally for personal hands-on, so from cost optimization perspective, I thought NAT instance

0

Hi.

Here are the steps to deploy a basic HTTPS application:

  1. Network Definition
  • Set a new VPC CIDR 10.0.0.0/16
  • Create at least 2 subnets per layer (Public & Private) CIDR Example 10.0.1.0/24
  • Create 2 route tables (One for the public subnets and One for the private Ones:
  • Create 1 Internet Gateway
  • Create 1 NatGateway (You also will need a Elastic IP)
  • Associate the Internet Gateway to the Public routing table | This will make public the subnets that you associate
  • Associate the Nat Gateway to the Private routing table | This will make private the subnets that you associate
  1. Create a EC2 instance in the public subnet. This will be used as bastion to jump to the EC2 in the private subnet.
  • The security group must contain the rule that allows your local IP and the protocol should be SSH 22 if it's linux.
  1. Create a EC2 instance in the private subnet. In this instance Deploy your application. if you are gona deploy your app using HTTPS you will need to install a certificate
  • The security group should allow your bastion's security group with the por 22 SSH.
  1. Deploy an Amazon Application Load Balancer with a 443 HTTPS listener configured.
  • The security group should allow traffic from 0.0.0.0/0 to the port 443 HTTPS.
  1. Deploy a TargetGroup with a 443 HTTPS listener configured.
  • Register your private EC2 instance.
  1. You must see that the Health Check of your ALB it's all green, that means that it's ok.
  2. The ALB has a DNS, so you can copy and paste it in your web broser.
  3. That's IT!

If you are gonna use HTTP use the correct ports in the ALB and Target Group configuration.

For a productive environment i will advice to use, Amazon CloudFront and Amazon WAF for a better performance and Security.

Also, check your Apache or Nginx configuration, just to see if your 443 port is enabled. IF yes.

  • Double Check your Security Groups configuration.
  • Double Check your VPC's NACL configuration
  • Double Check your Routing tables configuration.

Hope i helped you. Best regards

HE

profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions