Amazon AWS SysOps – Networking – VPC part 3
- NAT Instances
We have our instances in our public subnet that have Internet connectivity thanks to the Internet gateway. But for our instances in our private subnet, they cannot access the Internet. If they were to access it through the Internet gateway, they would also be directly accessible from the Internet. So for this, we need a better solution. And that solution is a Nut. Nat stands for Network Address Translation. Now nat comes into flavor. It comes with Nat instances, which is really outdated, not recommended, but still can appear at the exam. And you also have Nat gateways that we’ll see in the next lecture. So in this lecture, it’s all about Nat instances. These Nat instances will allow our other instances in the private subnet to connect to the Internet.
Our net instances must be launched in a public subnet so that they have Internet connectivity. And you must disable an easy to flag called Source Destination Check. We’ll see this in the hands on. You also must attach an elastic IP attached to it because our route table will be going to directly a fixed IP. And the root table must be configured to root traffic from the private subnets to the net instance. That’s for the theory. Let’s look at it in a diagram. So this is what we have so far. Our public EC Two can connect thanks to the root table, to the Internet getaway and then to the Internet. Now, if we have an instance in a private subnet right now, it cannot connect to anything. And so for this, we have to make a Nat instance in our public subnet.
It will have an elastic IP attached to it. That’s what the little arrow means. And it has its own security group. And then this Nat instance, thanks to the router that already exists in the root table, will be able to talk to the Internet gateway and access the Internet. Now we need to basically do a bridge between our private EC Two and our Nut instance. And for this we’re going to change the root table in our private subnet. And basically this root table is going to point to the Nut instance directly. And this will allow our private EC Two to be directed to the Nut instance, which will be directed all the way to the Internet. So that’s for the theory. Let’s go with the hands on now. So let’s go ahead with creating our Nat instance.
For this we’ll go to the EC. Two management console. We’re going to launch an instance in the search bar. I’m going to tap Nat and 80. And we have directly pressing Enter Recommendations 22 in the marketplace and 326 represents in the Community AMI. We’re going to use the community. AMI. And the first one is provided by Amazon, which is a VPC not on HVM. This is a recent enough date. So we’ll just use this one. We’ll click on select, we’ll run it on a T two micro and then click on Configure instance Details. We’ll launch one instance network wise we’ll launch it on our demo Vpc and subnetwise just for fun will launch it in our public subnet B. Okay, we’ll use the subnet setting and auto assign a public IP.
This is great. Then I will scroll down we don’t change anything right here everything looks good and click on Next. Okay at storage the storage looks good as well at tags this one I’ll just name it Nat Instance just so we can recognize it in our UI click on configure Security Group and here we have to create a new security group. I’ll call it Nat SG not Security Group and so we have to allow a few rules. So let’s get started. The first rule is Ssh and you can restrict it to your IP if you wanted to. Then I’m going to add Http and this rule basically should allow port 80 but not coming from everywhere, it should just be coming from our Vpc so our Vpc is defined as 100 zero 00:16 if you remember.
So I’ll just allow Http from Vpc http from Vpc just so remember. And here again we’re going to add one last rule for Https from the Vpc as well. So I’ll just copy this entire Cider and we’ll allow https from the Vpc. And these are the necessary security group rules. When you define a Nat instance, click on Review and Launch. And this is great. We’ll just go in with the recommended and click on Next and then click on Launch. And then I’ll say okay, acknowledge. Okay, so now our instance is launching. And while this happens, I’m going to launch one last instance. I’m going to launch a private instance. So for this I’m going to go to Amazon Linux AMI click on select.
I’ll select a t two micro okay, click on Configure Instance Details and then I will select the network to be demo Vpc the subnet this time I’m going to make it in private subnet A and I will not have an IP address. A public IP is disabled by default because it’s not a public instance anyway okay, this looks good. Now I’ll click on Add storage at tags. I’ll just name this name this instance Private instance and click on next Configure Security Group. Here we can configure Security Group and we can just have port 22 coming from everywhere. Or we can say only port 22 coming from our Vpc directly. So Ssh only from within the Vpc because this is a private instance, so it does not expect anywhere else to have an Ssh connection from.
And click on Review and Launch. I will launch it as well I acknowledge and I will basically instead of using the same key pair I’ll create a new key pair in this key pair name I’ll call it Private Instance Key Pair because this is something that’s going to be just specific to my private instance and I’m going to show you in a second. So I want to be able to create a new key pair. So here is my private instance key pair that has been downloaded. I’ll click on Launch instances and here we go. Now we click on View instances and let’s have a look at what happens. So we have a Nat instance in Eus one B and we have our private instance in Eus one A. This is all these two in public subnets.
This one is in a private subnet and this one remember because this is a Nat instance we have to make sure that it has enabled disabled Source Destination Check. So for this I can right click on it, click on Networking and click on Change Source Destination Check and this is something you should keep enable for every instance except not instances because they’re very special. So I say yes disable and this is what the documentation recommends. So if you type Source Destination Check not instance in the documentation it just says however a Nat instance must be able to send and receive traffic when the source destination is not itself. Therefore you must disable source destination text on that instances. So we’ve done that.
Now let’s go ahead and first Ssh into our private instance. For this I’m going to Ssh into my public instance and from my public instance I will be able to Ssh into my private instance. So let’s do this. Right now I’m in my public instance right here and the first thing I have to do is to basically recreate the key pair I’ve just downloaded onto this EC two instance. So I’m going to open a new tab and I’m going to catch the content of my downloaded key pair. So this one I’m going to copy this. Now remember, this is not something you want to do in production. We have better ways of doing these kind of things but right now I’m just doing it manually.
So I’ll copy this RSA private key and I will just basically put it onto my EC two instance. We could use Scp if you wanted to, if you know what Scp is but right now we’ll just do things manually. So I’ll just do nano and then Private what’s the name of that file again? Privateinstance Kpm. And I’ll just paste the content control X. Yes. Enter. And now I’m going to do a Schmidt just to be able to set the right permissions on this file. So here we go. And now, using this, I should be able to Ssh from my public to my private. So I’ll do ssh EC to user at. And now I need the private IP of my private instance. So my private instance is right here, and it has a private IP. So I’ll copy this, paste it minus I, and I’ll just specify my instance key and click on yes.
And here we go. I am into my instance LS. So I’m onto my private instance right now. IP ten 00:21 95 and if we try to just for example ping Google. com. So if you want to access Google. com it doesn’t work. It does not have internet yet, which is what we expect. But we have created a Nap instance so we should be able to provide that instance with internet. So how do we do this? This doesn’t work. So how do we do this? Well we go into our root table and for a private route table we’re going to create a new route. And so I do the routes and then I’ll click add route and any connection outgoing to the internet this time it’s not going to the internet gateway because that would make my instances public.
Instead it’s going to an instance and this is a Nat instance and I’ll just click here and say Nat instance. So now we’re saying for all my instances in my private subnet anytime you hit an IP that’s not local then talk to this Nat instance. Save the route. Route has been saved to sex successfully. And so now in our private route table it turns out that the destination for public traffic should go to this eni and if we click on this eni we obviously get redirected directly to our Nats. So now I can go into my instance and I can do curlgoogle. com and this just gives me a URL so it says it has moved so I can curl Www. google. com but basically my private instance does get access to the internet which is amazing.
But if you try to ping@google. com we see it’s not working. So we know we have internet connectivity. But the trick is in your instance, your Nat instance, your security group, you can also add the protocol which allows you to use the ping. You add a rule and this is going to be all Icmp for iPV four and we’ll allow this coming from our Vpc. So I’ll just say allow ping from Vpc, save the security group pool and now if we do a ping on Google. com we do get an answer back and we see it’s working. So this was a long lecture, I know, but we’ve set up basically a Nat instance which allowed our private instance to talk to it and to get internet access.
Now I have to say all this thing is very hard to manage and as you can see there is a lot of moving parts. So let’s see what that means for the exam. A comment on this setup. So we’ve been using an Amazon Linux AMI that can be preconfigured with Nat capabilities and this is nice, but what we did was not heavily available. It’s not really resilient. If we lose our Nat, we lose our internet connectivity. So we need to set up maybe an ASG that is multiaz with a resilient user data script. Maybe use an elastic IP to guarantee some IP addressing that’s going to be stable. I mean, it could be horrible.
And then the internet traffic will depend on our easy to instance performance. So right now we have a T, two micro, so we don’t expect to have very high network throughputs. But if we have a larger instance, we’re going to pay more and get better networking. But overall, it’s so tricky. And then we must manage security group and rule. So you see, I couldn’t ping Google right away. I had to add the rules. So we need to set the inbound rules and some outbound rules, et cetera, et cetera. I mean, it’s tricky. It’s really, really tricky. So overall, Nat instances are old. They’re the old way of doing things. And in the next lecture, we’ll see Nat gateways to see how we can do things in a much better way. So let’s get started.
- NAT Gateways
A better alternative to Nat instances is a Nat gateway. Why? Because AWS will manage this. Nat for us, will get higher bandwidth, will get better availability, and overall, no administration required. We’re going to pay by the hour for the usage and the bandwidth. And the Nat will be created in a specific AZ. It will use an Eip, but we don’t have to worry about any of that. It cannot be used by an instance from the same subnet where we created only from the other subnets, which is fine, and it will require an internet gateway to be set up. But we already have one. So the trick is that the private subnet will talk to the Nat gateway, which will talk to the internet gateway. And this way we’ll get internet connectivity.
For our private subnet instances we get 5gb of bandwidth with automatic scaling up to 45GB, so it can scale to tremendous bandwidth. And overall we don’t have any security group to manage or that is required. So overall it seems like it’s a no brainer compared to the pain that it was to set up a Nat instance in the previous lecture. So let’s have a look at the diagram. It is exactly the exact same thing. But the difference is now we’ll have a Nat gateway in our public subnet that is automatically connected to the Internet, thanks to the root table. And then our route table for a private subnet will have a direct link, direct route to our Vpc Nat gateway, the net gateway.It is resilient, but only resilient within a single AZ.
And if you want high availability then you’re going to need a Nat gateway that in multiple AZ and that will give you fault tolerance. So let’s have a look at our diagram. We have two AZ. Each AZ will have a public and a private subnet. And we want to make sure we have one nut gateway in each AZ so that we have high availability. So in this case, we’re going to set up a nut gateway in public subnet of Aza and we’ll set up the according route tables to make sure the traffic is routed properly to the Internet. And we’ll do the exact same thing on Azb. So it’s a very symmetrical setup. But the idea here is that because now we have two Nat gateways in two different AZ, there is no cross AZ fellow needed because if an AZ goes down, it doesn’t need a nap at all.
Right? So let’s have a look. We just zap this entire AZ. It’s completely lost. So imagine it’s gone and we still have access to the Internet from Azb. But if we didn’t have a net gateway here, and if the net gateway was going from a ZB to Aza and the Aza was going away, then Azb would lose access to the Internet. Bottom line is saying something very simple in a complicated way, but bottom line is if you want high availability for your net gateway. You need to make sure you set up your net gateway, one in each AZ. So let’s have a look at how we can set this up right now. Okay, so let’s get back to our Vpc now. So we go back to the Vpc console in here, and the first thing we’re going to do is to completely delete this Nat instance.
So we don’t want this Nat instance anymore, so we’re going to terminate it. Here we go. Go away. Now it’s being terminated. And so what we should see is that when the Nat instance is down, I should lose Internet connectivity. So here I am on my instance in my private subnet. And if I pin Google. com right now, it’s not working. If I do curl for Google. com, it should not be working as well. So it has completely lost Internet connectivity. Now if we go to our Vpc and we go to our root table, and we take the root table from the private route table in here right now, this target is active to the eni. But I’m just going to wait a little bit to show you what happens once the instance is terminated.
So my instance is now terminated, and we can see from the root table that this destination is now a black hole. So anytime, basically a route does not lead anywhere. Anytime the target is down on or whatever, we’re into a black hole state. And this is bad. That means that basically our instance did indeed lose Internet connectivity because this destination does not lead anywhere. It leads into a black hole. But we’re going to fix this right now. So what we’re going to do is that we’re going to create our Nat gateway. So we click on Nat gateways, create Nat gateway, and we select a subnet in which we want to create our Nat gateway.
So we have to remember the subnet list, which is always tricky sometimes when the subnet names are not shown. So let’s go back to our subnets and we’ll select our demo Vpc. We’ll take our public subnet A, which is this subnet. I’m going to copy the subnet ID and paste it here just so I can find it. Here we go. I found my subnet. And then we can either enter an allocation ID if you already have an Elastic IP, or we just say create new eip and automatically a new Eip Elastic IP was assigned to this Nat gateway. Okay. Create Nat gateway. The not gateway has been created, and now we can edit our root tables to include a route to the following Nat gateway. So we’ll close this. We’ll do the routing automatically on our own.
So we’ll go back to our root table and private root table. And this is where a black hole was. We’re going to edit this one. So instead of pointing to our instance, which does not exist anymore, we’re going to remove this entirely. And now we’re going to say, okay, this route should point to a not gateway and this not gateway right here, save it. And now the route has been successfully edited and this route is active. Now we have to wait for this not gateway to get ready and to be up and running. So we have to wait maybe 15 minutes. So I’ll just pause the video until then. Okay, so our Nat gateway has been created and so if I go back to my EC two instance and Carolgoogle. com yes, I get back access to the internet and can I ping Google. com? Let’s try this out.
Yes, I can also ping Google. com and it’s working so perfect. So this nut gateway basically give us access to the internet in our private subnet, but without the whole problems of managing a separate easy to instance for this. So I think that these lectures are enough to understand the differences between Nat instance and gateway. But there is still a very interesting table on the AWS documentation where there’s a comparison. So let’s have a quick look at it. So this table compares a Nat gateway to a Nat instance. So let’s have a look at a few very important points. The first one is high availability, so the net gateway is highly available and you can have one in each AZ and they’re implemented with redundancy.
And so this is how you basically make sure that your setup is resilient to failure, whereas not instance, well, you need to have a script to manage failover between instances. In terms of bandwidth, the Nat gateway can scale up to 45gb/second, which is huge, whereas this one can depend on the bandwidth of the instance type. So if you have a T two micro, then we have very low bandwidth for maintenance. This is managed by AWS, so no need to do anything, but Nat instance is managed by you, so it’s up to you to patch the OS, et cetera, et cetera. Performance software is optimized for handling Nat traffic, whereas this one is just a generic Amazon Linux AMI, so there is maybe an overhead on it and then you can look at all those kind of things here.
But this is really interesting to see. And for security groups, for example, you cannot associate a security group of Nat gateway, whereas here you have to associate one and manage that security group on its own. So I think it’s super interesting to look at this table in your own time. So have a look. But overall I think it is clear that a Nat gateway is the clear choice. And sometimes the exam will ask you a question about net instances, usually around disabling source check destination source destination check, sorry on the net instance, but that’s about it. Overall, these two things allow your instances in private subnets to get access to the Internet by offering a route to it. Okay, so that’s it I will see you in the next lecture.