Create Custom NAT Instance in AWS VPC

From Gejoreuy
Jump to navigation Jump to search


Build a NAT using a Linux CentOS instance to propose internet access for private subnet in AWS VPC.
This NAT instance will be run and needed by instances in private subnet to make connections to services outside of the subnet or to the public Internet.
An example may include downloading a software package, sending backup data to an external location, or applying system updates to servers on the private subnet.


Make sure we understand for public and private subnet in AWS VPC.
We already have a new instance in public subnet which will be set as NAT server. Let's call it nat-server which built by Linux CentOS 7.
We already have an instance in private subnet for a test. Let's call it test-server. We can build it by Linux or Windows. Whatever, just for a test to make sure it get internet access..

In this tutorial, we assume that we already have a VPC with public and private subnet. And then will set its route like below picture.

20191114 custom nat aws.jpg

Disable Source/Dest. Check for the NAT Server

In AWS EC2 DashboardSelect the InstanceActionNetworkingChange Source/Dest. Check :

Yes. Disable.

Configure System

First, update the system :

[root@nat-server ~]# yum update

In /etc/sysctl.conf enable ip forwarding :

[root@nat-server ~]# vi /etc/sysctl.conf

Add this :

# For NAT Server
net.ipv4.ip_forward = 1

Reboot now for good measure :

[root@nat-server ~]# reboot

Test our config :

[centos@nat-server ~]$ cat /proc/sys/net/ipv4/ip_forward

Set Iptables for Masquerade

Issue iptables command below :

[root@nat-server ~]$ iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

Edit the /etc/rc.local file to make masquerade will automatically enable at boot time :

[root@nat-server ~]$ vi /etc/rc.local

And add this iptables command at the end of the file :

iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE
exit 0

Ensure the script will be executed during boot :

[root@nat-server ~]$ chmod +x /etc/rc.d/rc.local

Modify the NAT Instance Security Group

We can modify the security for our NAT server instance as our needs. It's up to you.

Create Custom Route to Associate the Private Subnet

In AWS VPC DashboardRoute TablesCreate Route Table

Name tag : [name the route table]
VPC : [choose the VPC]

In Route Table which early created → RoutesEdit RouteAdd RouteSave Routes

Destination :
Target : Instance [choose the nat server instance]

Still in Route TableSubnet AssociationEdit Subnet AssociationSelect the Private SubnetSave

Test from Instance Inside Private Subnet

Just create test-server in private subnet. Don't attach public ip there. And then test to ping Google or any server which located in internet.