Is internal network traffic sent to private subnets via their NAT Server?

0

I'm wondering how resources in my public subnets communicate with those in my private subnets - when there is a NAT service present.

My impression is that a self-managed NAT Server obscures all private assets (resources we own) and all external communication is initiated by the NAT server, which is doing the “address translation.” Having private subnets without any NAT Server (managed as NAT Gateway or otherwise) and applying arbitrary IPs from the RFC ranges is not the same as having those ranges translated by the NAT Server (or NAT Gateway); the fact that the RFC ranges are canonically “private” is in no way enforced in that case, there’s nothing special about those typically private ranges. The full implications of that are not really clear to me, since it’s not something I’ve seen or used much.

Additionally, my impression is that a NAT server (managed or otherwise) and private IP ranges aren't just for protecting internal resources from external communications, and that even things inside my VPC's public subnets have to route through the NAT server. Anything that wants to send packets to those RFC ranges must first communicate with the NAT server, via its public IP given by the IGW. Thus the whole mechanism enforces routing through at least 2-3 AWS managed services, even for internal, public-private communications.

Is that (all?) correct?

1 Answer
3
Accepted Answer

All instances in your VPC, regardless of the subnet, have private IP addressed from the CIDR range of the subnet they are in. When an instance wants to communicate with another instance within the VPC, the traffic goes directly. This is what the LOCAL route in all route tables is for. All communication within the VPC is using the private IPs.

The NAT Gateway is only used when an instance is trying to access an IP address which the route table forwards to the NAT device, e.g., the internet.

profile pictureAWS
EXPERT
Uri
answered a year ago
profile picture
EXPERT
reviewed 20 days ago
profile picture
EXPERT
reviewed a year ago
profile picture
EXPERT
reviewed a year ago
  • This is astonishing to me. That means that if a malicious actor can get into the public subnet, they have LOCAL routes to anything in the entire VPC, private or public - or? I would have thought that any communication with addresses in the RFC 1918 range have to first get the public IP (from the IGW) of the NAT Server (if there is one) so that the NAT Server can conduct its mapping procedure and return the private IP to the pertinent private resource. Why have DMZ networks and Jumpboxes and such if you can just access private resources from anywhere inside a VPC or VNet? (Obviously there "should" also be SGs / firewalls etc setup, but...)

  • My answer was about routing. You still need to use Network ACLs and Security groups to limit access between different instances in the same or different subnets.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions