DEV Community

Cover image for AWS Under the Hood - Day 4
Prashant Lakhera
Prashant Lakhera

Posted on

AWS Under the Hood - Day 4

Why can't a user from the internet directly connect to an instance that is behind an AWS NAT Gateway

When you're dealing with an instance in an Amazon Web Services (AWS) environment that is connected via a NAT (Network Address Translation) Gateway, it's important to understand the specific roles and configurations involved, which affect how network traffic is managed. A NAT Gateway in AWS primarily allows instances within a private subnet to connect to the Internet or other AWS services while preventing the Internet from initiating a connection with those instances. Here’s how it works:

Understanding AWS NAT Gateway
Purpose and Functionality:A NAT Gateway enables instances in a private subnet to send outbound traffic to the internet, allowing for updates, downloads, and other internet-dependent activities. It also allows the instances to receive the responses from this outbound traffic.However, the NAT Gateway does not enable inbound connections from the internet to the instances behind it. This is a security feature designed to protect instances in private subnets from unwanted external access.
Network Isolation:Instances in the private subnet do not have public IP addresses. Instead, they are assigned private IP addresses that are not routable on the internet.When an instance in a private subnet communicates with the internet, the NAT Gateway translates the private IP address of the instance to the public IP address of the NAT Gateway. This translation is part of why the process is called Network Address Translation.
One-way Initiation:The translation setup of the NAT Gateway only maintains the state of active connections initiated from the private subnet. Since the NAT Gateway maps multiple private IPs to a single public IP, it uses a combination of the port number and the source IP to distinguish between different connections.When a connection is initiated from outside (the internet) without a prior corresponding internal request, the NAT Gateway has no rules or states to match this incoming connection to an internal private IP; thus, it blocks/drops such requests.

Under the Hood: How NAT Gateway Works
IP Masquerading:When an outbound request is made from an instance in the private subnet, the NAT Gateway modifies the packet headers: it replaces the source private IP address and port of the originating instance with its own public IP address and a different port number.This masquerading ensures that all responses to the outbound requests are directed back to the NAT Gateway.
Connection Tracking:The NAT Gateway maintains a translation table that keeps track of each outbound connection's original source IP and port, along with the translated public IP and port.This table is used to route the responses from the internet back to the correct originating instance inside the private subnet.
Security Implications:Since the NAT Gateway does not allow inbound connections unless they are responses to requests initiated from within the private subnet, it acts as a layer of security, blocking unsolicited inbound traffic.This configuration minimizes the attack surface of instances within the private subnet by making them unreachable directly from the internet.

If a user from the internet attempts to directly connect to an instance behind a NAT Gateway, they will not be able to establish a connection. This is because the NAT Gateway does not translate inbound initiations into the private network unless they correspond to outgoing requests. This operational limitation ensures that the instances behind the NAT Gateway are shielded from direct exposure to the internet. To enable internet users to connect to services hosted on private instances, a typical approach involves using a Public IP or an Elastic Load Balancer (ELB) along with appropriate security group settings that allow inbound traffic as required.

📚 If you're interested in more in-depth explanation of these topics, please check out my new book “Cracking the DevOps Interview”
📚 To learn more about AWS, check out my book “AWS for System Administrators”

Top comments (0)