Hooray & welcome to Part-11. Congratulate yourself being able to achieve to this level.
· An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between the VPC and the internet.
· An internet gateway serves two purposes: to provide a target in the VPC route tables for internetroutable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
· An internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic.
Enabling internet access
To enable access to or from the internet for instances in a subnet in a VPC, you must do the following:
• Attach an internet gateway to your VPC.
• Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet.
• Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
• Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.
· To enable communication over the internet for IPv4, your instance must have a public IPv4 address or an Elastic IP address that’s associated with a private IPv4 address on your instance. Your instance is only aware of the private (internal) IP address space defined within the VPC and subnet. The internet gateway logically provides the one-to-one NAT on behalf of your instance, so that when traffic leaves your VPC subnet and goes to the internet, the reply address field is set to the public IPv4 address or Elastic IP address of your instance, and not its private IP address. Conversely, traffic that’s destined for the public IPv4 address or Elastic IP address of your instance has its destination address translated into the instance’s private IPv4 address before the traffic is delivered to the VPC.
· To enable communication over the internet for IPv6, your VPC and subnet must have an associated IPv6 CIDR block, and your instance must be assigned an IPv6 address from the range of the subnet. IPv6 addresses are globally unique, and therefore public by default.
In the following diagram, Subnet 1 in the VPC is a public subnet. It’s associated with a custom route table that points all internet-bound IPv4 traffic to an internet gateway. The instance has an Elastic IP address, which enables communication with the internet. To provide instances with internet access without assigning them public IP addresses, then use a NAT device instead.
Internet access for default and non-default VPCs
The following table provides an overview of whether your VPC automatically comes with the components required for internet access over IPv4 or IPv6.
Egress-only internet gateways
An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.
An egress-only internet gateway is for use with IPv6 traffic only. To enable outbound-only internet communication over IPv4, use a NAT gateway instead
Amazon does not support NAT, or Network Prefix Translation, for IPv6.
Use it if require instance to access the internet, but prevent resources on the internet from initiating communication with the instance.
To do this, create an egress-only internet gateway, and then add a route to the route table that points all IPv6 traffic (::/0) or a specific range of IPv6 address to the egress-only internet gateway.
It is stateful: it forwards traffic from the instances to the internet or other AWS services, and then sends the response back to the instances.
An egress-only internet gateway has the following characteristics:
• cannot associate a security group with an egress-only internet gateway. Only can use security groups for the instances in the private subnet to control the traffic to and from those instances.
• Can use a network ACL to control the traffic to and from the subnet for which the egress-only internet gateway routes traffic.
In the following diagram, a VPC has an IPv6 CIDR block, and a subnet in the VPC has an IPv6 CIDR block. A custom route table is associated with Subnet 1 and points all internet-bound IPv6 traffic (::/0) to an egress-only internet gateway in the VPC.
> any instance that is launch into a private subnet in a VPC is not able to communicate directly with the Internet through an Internet gateway.
>subnet route table includes no routes to an Internet gateway.
>connections originating from outside the VPC cannot reach instances inside the private subnet.
A NAT gateway is an AWS-managed resource that is designed to operate just like a NAT
instance but is simpler to manage and highly available within an Availability Zone.
To allow instances within a private subnet to access Internet resources via a NAT
gateway, you must do the following:
■ Create a NAT gateway in a public subnet.
■ Allocate and associate an IPv4 Elastic IP address with a NAT gateway.
■ Configure the route table associated with the private subnet to direct Internet-bound
traffic to the NAT gateway (for example, nat-1a2b3c4d)
Note: PAT overloads a single IP address by using multiple, different User Datagram Protocol (UDP) or Transport Control Protocol (TCP) ports. This limits
a single NAT gateway to roughly 65,000 simultaneous flows to a single
destination IP, port, and protocol tuple.
The following diagram illustrates the architecture of a VPC with a NAT gateway. The main route table sends internet traffic from the instances in the private subnet to the NAT gateway. The NAT gateway sends the traffic to the internet gateway using the NAT gateway’s Elastic IP address as the source IP address.
NAT gateway rules and limitations
A NAT gateway has the following characteristics and limitations:
• A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps. If you require more, you can distribute the workload by splitting your resources into multiple subnets, and creating a NAT gateway in each subnet.
• You can associate exactly one Elastic IP address with a NAT gateway. You cannot disassociate an Elastic IP address from a NAT gateway after it’s created. To use a different Elastic IP address for your NAT gateway, you must create a new NAT gateway with the required address, update your route tables, and then delete the existing NAT gateway if it’s no longer required.
• A NAT gateway supports the following protocols: TCP, UDP, and ICMP.
• You cannot associate a security group with a NAT gateway. You can use security groups for your instances in the private subnets to control the traffic to and from those instances.
• You can use a network ACL to control the traffic to and from the subnet in which the NAT gateway is located. The network ACL applies to the NAT gateway’s traffic. A NAT gateway uses ports 1024–65535.
· When a NAT gateway is created, it receives a network interface that’s automatically assigned a private IP address from the IP address range of your subnet. You can view the NAT gateway’s network interface in the Amazon EC2 console.
· A NAT gateway cannot be accessed by a ClassicLink connection that is associated with your VPC.
· You cannot route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of these connections.
· A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors. These errors can be monitored by viewing the ErrorPortAllocation CloudWatch metric for your NAT gateway.
Migrating from a NAT instance
Make sure the NAT gateway is in the same subnet as the NAT instance, and then replace the existing route in the route table that points to the NAT instance with a route that points to the NAT gateway. To use the same Elastic IP address for the NAT gateway that is currently used for the NAT instance, first disassociate the Elastic IP address from the NAT instance and then associate it with the NAT gateway after creating it.
If change your routing from a NAT instance to a NAT gateway, or if you disassociate the Elastic IP address from your NAT instance, any current connections are dropped and have to be re-established. Ensure that you do not have any critical tasks (or any other tasks that operate through the NAT instance) running.
Best practice when sending traffic to Amazon S3 or DynamoDB in the same region
avoid data processing charges for NAT gateways when accessing Amazon S3 and DynamoDB that are in the same Region, set up a gateway endpoint and route the traffic through the gateway endpoint instead of the NAT gateway. There are no charges for using a gateway endpoint.
Controlling the use of NAT gateways
By default, IAM users do not have permission to work with NAT gateways. You can create an IAM user policy that grants users permissions to create, describe, and delete NAT gateways. We currently do not support resource-level permissions for any of the ec2:*NatGateway* API operations.
Tagging a NAT gateway
Tag NAT gateway to help identify it or categorize it according to organization’s needs.
Cost allocation tags are supported for NAT gateways. Therefore, you can also use tags to organize your AWS bill and reflect your own cost structure.
Monitoring NAT gateways using Amazon CloudWatch
monitor NAT gateway using CloudWatch, it collects information from the NAT gateway and creates readable, near real-time metrics.
To filter the metric data, use the following dimension.
Use network address translation (NAT) instance in a public subnet in the VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.
NAT Instance does not supported for IPv6 traffic — use an egress-only Internet gateway instead.
Its better to use NAT gateway, which is a managed NAT service that provides better availability, higher bandwidth, and requires less administrative effort. For common use cases, it is recommended to use NAT gateway rather than a NAT instance.
NAT instance basics
The main route table is associated with the private subnet and sends the traffic from the instances in the private subnet to the NAT instance in the public subnet. The NAT instance sends the traffic to the Internet gateway for the VPC. The traffic is attributed to the Elastic IP address of the NAT instance. The NAT instance specifies a high port number for the response; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.
Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string amzn-ami-vpc-nat in their names, so you can search for them in the Amazon EC2 console.
When launching an instance from a NAT AMI, the following configuration occurs on the instance:
• IPv4 forwarding is enabled and ICMP redirects are disabled in /etc/sysctl.d/10 natsettings.conf
• A script located at /usr/sbin/configure-pat.sh runs at startup and configures iptables IP masquerading.
Its recommended that to always use the latest version of the NAT AMI to take advantage of configuration updates. If adding and removing secondary IPv4 CIDR blocks on the VPC, ensure that it uses AMI version amzn-ami-vpc-nat-hvm-2017.03.1.20170623-x86_64-ebs or later.
NAT instance quota depends on the instance quota for the region.
Creating the NATSG security group
Define the NATSG security group as described in the following table to enable the NAT instance to receive Internet-bound traffic from instances in a private subnet, as well as SSH traffic from the network. The NAT instance can also send traffic to the Internet, which enables the instances in the private subnet to get software updates.
Comparison of NAT instances and NAT gateways
The following is a high-level summary of the differences between NAT instances and NAT gateways.
Its a long journey of getting to know the various gateways that AWS has to offer. We have wrapped gateways & moving forward with DHCP, DNS & VPC Peering.