AWS EC2 instance in private subnet unable to connect to internet via NAT gateway
Question
I have two EC2 instances, one on public subnet(10.1.1.0/24) and one on private subnet (10.1.2.0/24) EC2 instance in public subnet works fine with internet connectivity and configured services.
There is a NAT Gateway configured in the public subnet 10.1.1.0/24 with Elastic IP. Default route on private subnet is [0.0.0.0/0 --> NAT Gateway in public subnet]. I have a custom network ACL on private subnet, what I observed is when source and destination for inbound/outbound rules is set to 10.1.1.0/24 (public subnet) external connectivity breaks, but ssh works. Only when source/destination are set to 'any' does internet connectivity restore. I am trying to understand what exact source/destination should be used in network ACLs on private subnet for internet connectivity to work.
1 answers
solution1
0 2020-09-14 04:37:27
To allow instance from private subnet access internet using NAT gateway, your NACLs or SG must allow internet traffic . The NAT does not change the internet traffic into private VPC traffic. So if you remove 0.0.0.0/0 the internet connectivity stops.
This is explained in AWS docs on Instances cannot access the internet :
Ensure that the network ACLs that are associated with the private subnet and public subnets do not have rules that block inbound or outbound internet traffic .
Therefore, you must allow 0.0.0.0/0 (or some IP range if you want only part of internet traffic) in your NACL and SG for the instances in private subnet.
As a side note, generally NACLs are not modified, and default settings are usually used. Instead security groups are the first choice of controlling access to and from the instances.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.