DEV Community

Cover image for NAT Instance Tutorial
Parth Patel
Parth Patel

Posted on

NAT Instance Tutorial

What is NAT Instance?

A NAT instance provides network address translation (NAT). You can use a NAT instance to allow resources in a private subnet to communicate with destinations outside the virtual private cloud (VPC), such as the internet or an on-premises network. The resources in the private subnet can initiate outbound IPv4 traffic to the internet, but they can't receive inbound traffic initiated on the internet.

Basic Understanding

The route table associated with the private subnet sends internet traffic from the instances in the private subnet to the NAT instance in the public subnet. The NAT instance then sends the traffic to the internet gateway. The traffic is attributed to the public IP address of the NAT instance. The NAT instance specifies a high port number for the response; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.

Image description

Step 1: Create a VPC for the NAT instance

When creating a VPC, select "Create VPC," choose the appropriate VPC, name it, and click "Create VPC."

Image description

Step 2: Create a security group for the NAT instance

Choose Create security group. Enter a name and description for the security group.

To add inbound traffic rules, select HTTP, HTTPS, and SSH for the types, and enter the appropriate IP address ranges for Source.

For outbound traffic rules, select HTTP and HTTPS for the types, and enter for Destination.

Finally, click on "Create security group".

Step 3: Launch EC2 Instance AL2023

Connect to your instance and run the following commands:

  1. sudo yum install iptables-services -y
  2. sudo systemctl enable iptables
  3. sudo systemctl start iptables
  4. vim /etc/sysctl.d/custom-ip.conf net.ipv4.ip_forward=1 :wq
  5. sudo sysctl -p /etc/sysctl.d/custom-ip.conf
  6. netstat -i (primary network interface is enX0)
  7. sudo /sbin/iptables -t nat -A POSTROUTING -o enX0 -j MASQUERADE (Enter your PNI)
  8. sudo /sbin/iptables -F FORWARD
  9. sudo service iptables save

Image description

Step 4: Create a Linux AMI from an instance

To create an instance image, go to Instances > Actions > Image and Templates > Create Image > Enter name > Create Image.

Image description

Step 5: Launch a NAT instance

To launch a NAT instance, select "Launch instance" from the dashboard. Then, enter a name and choose your NAT AMI. Select an instance type, key pair, and network settings. Finally, launch the instance and wait for it to run. Disable source/destination checks and update the route table to send traffic to the NAT instance.

Image description

Image description

Image description

Step 6: Test your NAT Instance

To allow ping traffic from instances in your private subnet to the NAT instance, add an inbound and outbound ICMP rule. For the NAT instance to act as a bastion server, add an outbound SSH rule to the private subnet.

Step 7: Launch a test instance in the private subnet

Launch an instance into your private subnet. You must allow SSH access from the NAT instance, and you must use the same key pair that you used for the NAT instance.

Step 8: Check internet connectivity of EC2 instance in private subnet.

Image description


Setting up a NAT instance in AWS is essential for resources within a private subnet to securely access the internet or on-premises networks. By configuring a NAT instance, traffic from private subnet instances is routed through a public subnet, ensuring outbound connectivity while protecting against inbound threats. This step-by-step tutorial simplifies the process, from creating VPCs and security groups to launching and testing instances. With these fundamental concepts and practical instructions, developers can effectively leverage NAT instances to enhance network connectivity and security within their AWS environments. In conclusion, a NAT instance provides a crucial bridge and this tutorial simplifies the process making it easier for developers to implement it.

Top comments (0)