Difference between revisions of "Create Custom NAT Instance in AWS VPC"
| Line 12: | Line 12: | ||
<br> | <br> | ||
<br>In this tutorial, we assume that we already have a VPC with public and private subnet (and its route) like below picture. | <br>In this tutorial, we assume that we already have a VPC with public and private subnet (and its route) like below picture. | ||
| + | |||
| + | [[File:20191114_custom_nat_in_aws.jpg]] | ||
== Disable Source/Dest. Check for the NAT Server == | == Disable Source/Dest. Check for the NAT Server == | ||
Revision as of 14:03, 14 November 2019
Contents
Purpose
Build a NAT using a Linux CentOS instance to propose internet access for private subnet in AWS VPC.
This NAT instance will be run and needed by instances in private subnet to make connections to services outside of the subnet or to the public Internet.
An example may include downloading a software package, sending backup data to an external location, or applying system updates to servers on the private subnet.
Preparation
Make sure we understand for public and private subnet in AWS VPC.
We already have a new instance in public subnet which will be set as NAT server. Let's call it nat-server which built by Linux CentOS 7.
We already have an instance in private subnet for a test. Let's call it test-server. We can built it by Linux or Windows. Jusr for a test.
In this tutorial, we assume that we already have a VPC with public and private subnet (and its route) like below picture.
File:20191114 custom nat in aws.jpg
Disable Source/Dest. Check for the NAT Server
In AWS EC2 Dashboard → Select the Instance → Action → Networking → Change Source/Dest. Check :
Yes. Disable.
Configure System
First, update the system :
[root@nat-server ~]# yum update
In /etc/sysctl.conf enable ip forwarding :
[root@nat-server ~]# vi /etc/sysctl.conf
Add this :
# For NAT Server net.ipv4.ip_forward = 1
Reboot now for good measure :
[root@nat-server ~]# reboot
Test our config :
[centos@nat-server ~]$ cat /proc/sys/net/ipv4/ip_forward 1
Set Iptables for Masquerade
Issue iptables command below :
[centos@nat-server ~]$ iptables -t nat -A POSTROUTING -o eth0 -s 172.31.158.0/24 -j MASQUERADE
Edit the /etc/rc.local file to make masquerade will automatically enable at boot time :
[centos@nat-server ~]$ vi /etc/rc.local
And add this iptables command at the end of the file :
iptables -t nat -A POSTROUTING -o eth0 -s 172.31.158.0/24 -j MASQUERADE exit 0
Run 'chmod +x /etc/rc.d/rc.local' to ensure the script will be executed during boot :
[centos@nat-server ~]$ chmod +x /etc/rc.d/rc.local
Modify the NAT Instance Security Group
Create Custom Route to Associate the Private Subnet
In AWS VPC Dashboard → Route Tables → Create Route Table
Name tag : [name the route table] VPC : [choose the VPC]
In Route Table which early created → Routes → Edit Route → Add Route
Destination : 0.0.0.0/0 Target : Instance [choose the nat server instance]
