How Instances in Private subnet can connect to Internet with NAT Instance


Hi All,

I planned to deploy a website in instance in private subnet which will be connected to Internet through NAT instance. Once I try to install httpd package in private instance, it throws an error https: 443 is not opened- timed out. Both instances are Amazon Linux.

asked 2 years ago2102 views
3 Answers


Few check points to be noted when working with NAT instance:

-> NAT instance needs to be in the public subnet.

-> At least allow port 80/443 on the security group of the NAT instance.

-> Associate outbound route of private subnet to NAT instance in route table.

If the SG and Iptabels , routing are correct then I would suggest to check this part "Disable source/destination checks"

profile pictureAWS
answered 2 years ago
profile picture
reviewed 18 days ago
  • Thanks for your comment. Yes I would think about NAT gateway, but it's totally for personal hands-on, so from cost optimization perspective, I thought NAT instance



Here are the steps to deploy a basic HTTPS application:

  1. Network Definition
  • Set a new VPC CIDR
  • Create at least 2 subnets per layer (Public & Private) CIDR Example
  • Create 2 route tables (One for the public subnets and One for the private Ones:
  • Create 1 Internet Gateway
  • Create 1 NatGateway (You also will need a Elastic IP)
  • Associate the Internet Gateway to the Public routing table | This will make public the subnets that you associate
  • Associate the Nat Gateway to the Private routing table | This will make private the subnets that you associate
  1. Create a EC2 instance in the public subnet. This will be used as bastion to jump to the EC2 in the private subnet.
  • The security group must contain the rule that allows your local IP and the protocol should be SSH 22 if it's linux.
  1. Create a EC2 instance in the private subnet. In this instance Deploy your application. if you are gona deploy your app using HTTPS you will need to install a certificate
  • The security group should allow your bastion's security group with the por 22 SSH.
  1. Deploy an Amazon Application Load Balancer with a 443 HTTPS listener configured.
  • The security group should allow traffic from to the port 443 HTTPS.
  1. Deploy a TargetGroup with a 443 HTTPS listener configured.
  • Register your private EC2 instance.
  1. You must see that the Health Check of your ALB it's all green, that means that it's ok.
  2. The ALB has a DNS, so you can copy and paste it in your web broser.
  3. That's IT!

If you are gonna use HTTP use the correct ports in the ALB and Target Group configuration.

For a productive environment i will advice to use, Amazon CloudFront and Amazon WAF for a better performance and Security.

Also, check your Apache or Nginx configuration, just to see if your 443 port is enabled. IF yes.

  • Double Check your Security Groups configuration.
  • Double Check your VPC's NACL configuration
  • Double Check your Routing tables configuration.

Hope i helped you. Best regards


profile picture
answered 2 years ago
profile picture
reviewed 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions