Create Custom NAT Instance in AWS VPC
Contents
Purpose
Build a NAT using a Linux CentOS instance to propose internet access for private subnet in AWS VPC.
This NAT instance will be run and needed by instances in private subnet to make connections to services outside of the subnet or to the public Internet.
An example may include downloading a software package, sending backup data to an external location, or applying system updates to servers on the private subnet.
Preparation
Make sure we understand for public and private subnet in AWS VPC.
We already have a new instance in public subnet which will be set as NAT server. Let's call it nat-server which built by Linux CentOS 7.
We already have an instance in private subnet for a test. Let's call it test-server. We can build it by Linux or Windows. Whatever, just for a test to make sure it get internet access..
In this tutorial, we assume that we already have a VPC with public and private subnet. And then will set its route like below picture.
Disable Source/Dest. Check for the NAT Server
In AWS EC2 Dashboard → Select the Instance → Action → Networking → Change Source/Dest. Check :
Yes. Disable.
Configure System
First, update the system :
[root@nat-server ~]# yum update
In /etc/sysctl.conf enable ip forwarding :
[root@nat-server ~]# vi /etc/sysctl.conf
Add this :
# For NAT Server net.ipv4.ip_forward = 1
Reboot now for good measure :
[root@nat-server ~]# reboot
Test our config :
[centos@nat-server ~]$ cat /proc/sys/net/ipv4/ip_forward 1
Set Iptables for Masquerade
Issue iptables command below. Set the subnet based on subnet that we use in our VPC.
[root@nat-server ~]$ iptables -t nat -A POSTROUTING -o eth0 -s 172.31.2.0/24 -j MASQUERADE
Edit the /etc/rc.local file to make masquerade will automatically enable at boot time :
[root@nat-server ~]$ vi /etc/rc.local
And add this iptables command at the end of the file :
iptables -t nat -A POSTROUTING -o eth0 -s 172.31.2.0/24 -j MASQUERADE exit 0
Ensure the script will be executed during boot :
[root@nat-server ~]$ chmod +x /etc/rc.d/rc.local
Modify the NAT Instance Security Group
We can modify the security for our NAT server instance as our needs. It's up to you.
Create Custom Route to Associate the Private Subnet
In AWS VPC Dashboard → Route Tables → Create Route Table
Name tag : [name the route table] VPC : [choose the VPC]
In Route Table which early created → Routes → Edit Route → Add Route → Save Routes
Destination : 0.0.0.0/0 Target : Instance [choose the nat server instance]
Still in Route Table → Subnet Association → Edit Subnet Association → Select the Private Subnet → Save
Test from Instance Inside Private Subnet
Just create test-server in private subnet. Don't attach public ip there. And then test to ping Google or any server which located in internet.
