- 最新
- 投票最多
- 评论最多
Hello,
Few check points to be noted when working with NAT instance:
-> NAT instance needs to be in the public subnet.
-> At least allow port 80/443 on the security group of the NAT instance.
-> Associate outbound route of private subnet to NAT instance in route table.
If the SG and Iptabels , routing are correct then I would suggest to check this part "Disable source/destination checks" https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
Here are the steps - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-nat-instance/
I would suggest you to consider using NAT Gateway instead. https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/ https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html
Hi.
Here are the steps to deploy a basic HTTPS application:
- Network Definition
- Set a new VPC CIDR 10.0.0.0/16
- Create at least 2 subnets per layer (Public & Private) CIDR Example 10.0.1.0/24
- Create 2 route tables (One for the public subnets and One for the private Ones:
- Create 1 Internet Gateway
- Create 1 NatGateway (You also will need a Elastic IP)
- Associate the Internet Gateway to the Public routing table | This will make public the subnets that you associate
- Associate the Nat Gateway to the Private routing table | This will make private the subnets that you associate
- Create a EC2 instance in the public subnet. This will be used as bastion to jump to the EC2 in the private subnet.
- The security group must contain the rule that allows your local IP and the protocol should be SSH 22 if it's linux.
- Create a EC2 instance in the private subnet. In this instance Deploy your application. if you are gona deploy your app using HTTPS you will need to install a certificate
- The security group should allow your bastion's security group with the por 22 SSH.
- Deploy an Amazon Application Load Balancer with a 443 HTTPS listener configured.
- The security group should allow traffic from 0.0.0.0/0 to the port 443 HTTPS.
- Deploy a TargetGroup with a 443 HTTPS listener configured.
- Register your private EC2 instance.
- You must see that the Health Check of your ALB it's all green, that means that it's ok.
- The ALB has a DNS, so you can copy and paste it in your web broser.
- That's IT!
If you are gonna use HTTP use the correct ports in the ALB and Target Group configuration.
For a productive environment i will advice to use, Amazon CloudFront and Amazon WAF for a better performance and Security.
Also, check your Apache or Nginx configuration, just to see if your 443 port is enabled. IF yes.
- Double Check your Security Groups configuration.
- Double Check your VPC's NACL configuration
- Double Check your Routing tables configuration.
Hope i helped you. Best regards
HE
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
Thanks for your comment. Yes I would think about NAT gateway, but it's totally for personal hands-on, so from cost optimization perspective, I thought NAT instance