Prerequisites¶
projectX-prod-vpchas been created with subnets configured.projectx-prod-jumpboxEC2 instance exists and is accessible.My-Desktop-Key-Pairkey pair exists.- AWS CLI configured with appropriate credentials.
Network Topology¶
Overview¶
What is a NAT Gateway?¶
A Network Address Translation (NAT) Gateway is a managed AWS service that enables resources in private subnets to access the internet for outbound connections while preventing inbound internet traffic from reaching those resources directly.
NAT Gateways are typically used to allow EC2 instances to download software updates and generally permit outbound internet access for resources in private subnets.
This is exactly what we will do.
👉 Important: NAT Gateways are region-specific and must be in the same Availability Zone as the resources that need internet access, or you'll need multiple NAT Gateways for high availability across AZs.
💲 Also Important: NAT Gateways are expensive. And are not part of the free tier on AWS. Therefore, we will not use NAT Gateways outside of when we first configure the projectx-prod-websvr to capture updates and download our web stack.
Note
DELETE YOUR NAT GATEWAY AFTER DOWNLOADING UPDATES & WEB SEVER STACK.
Allocate Elastic IP¶
A NAT Gateway requires an Elastic IP (EIP) address. An Elastic IP is a static, public IPv4 address that you can allocate to your AWS account.
Navigate to VPC ➔ Elastic IPs.
Select "Allocate Elastic IP address".
Configure the Elastic IP:
- Public IPv4 address pool: Amazon's pool of IPv4 addresses
Select "Allocate".
👉 Note: Make a note of the Elastic IP address that was allocated. You'll need it when creating the NAT Gateway, though AWS will automatically associate it.
Create NAT Gateway¶
Navigate to VPC ➔ NAT Gateways.
Select "Create NAT gateway".
Configure the NAT Gateway:
Name:
- Name tag: projectx-prod-nat-GW
Subnet:
- Subnet: Select Public Subnet
👉 The NAT Gateway must be placed in a public subnet that has a route to an Internet Gateway.
Elastic IP allocation:
- Elastic IP allocation ID: Select the Elastic IP you just created (projectx-prod-nat-eip)
Tags:
- Name: projectx-prod-nat-GW
Select "Create NAT gateway".
👉 Note: It may take a few minutes for the NAT Gateway to become available. Wait until the status shows "Available" before proceeding.
Update Private Route Table¶
Now we need to update the private route table to route outbound internet traffic through the NAT Gateway.
Navigate to VPC ➔ Route Tables.
Select the private route table projectX-prod-private-rt.
Select "Edit routes".
Add a route to the NAT Gateway:
Select "Add route".
Configure:
- Destination: 0.0.0.0/0 (all internet traffic)
- Target: Select NAT Gateway → projectx-prod-nat-GW
Select "Save changes".
👉 Your private route table should now have two routes:
1. Local VPC route: 10.0.0.0/16 → local (for communication within the VPC)
2. Internet route: 0.0.0.0/0 → projectx-prod-nat-GW (for outbound internet access)
Verify Configuration¶
Verify your NAT Gateway setup:
- Elastic IP:
projectx-prod-nat-eipallocated and associated with NAT Gateway - NAT Gateway:
projectx-prod-nat-gwinAvailablestatus, deployed inProjectX-Prod-Public-Subnet - Private Route Table:
projectX-prod-private-rthas a route0.0.0.0/0→projectx-prod-nat-gw
Test Internet Connectivity¶
To verify that private instances can now access the internet, you can test from an instance in the private subnet:
👉 Security Note: The NAT Gateway only allows outbound internet access. Resources in private subnets can initiate connections to the internet, but inbound connections from the internet are still blocked, maintaining the security of your private resources. We will adjust the projectx-prod-websvr-SG Security Group to allow SSH) and HTTPs traffic to capture updates.
Your NAT Gateway is now configured and ready to provide internet access to resources in your private subnets!
Success!
Note
DELETE YOUR NAT GATEWAY AFTER DOWNLOADING UPDATES & WEB SEVER STACK.