NAT Instances and NAT Gateways

  Amazon Web Services (AWS), VPC

https://www.udemy.com/aws-certified-solutions-architect-associate/learn/v4/t/lecture/2801640?start=0

NAT Instances

  1. An EC2 instance that acts as a gateway.
  2. An Instance that is used to provide Internet traffic to EC2 instances in private subnets (non-Internet accessible).
  • Create an EC2 instance from the Community AMIs after searching for ‘NAT’
    • Pick the most recent one.
      • The OS install is slightly smaller than what you would get using a standard AWS AMI.
    • Make sure you give it a ‘Name’ Tag.  This will help identify it when you edit your Main Route Table
  • Provision into your Public accessible Subnet
  • Use your Public facing Security Group
    • Make sure you allow both HTTP and HTTPS traffic.
  • Once provisioned:
    • Actions > Networking > Change Source/Dest. Check > Disable
    • This allows traffic to travel through the instance.
  • Edit the Main Route Table to send ‘unknown’ traffic to the NAT Instance
    • Source: 0.0.0.0/0
    • Destination: NAT Instance

NAT Gateways

  • VPC > NAT Gateways > Create NAT Gateway
    • Deploy into the Public accessible Subnet
    • Create New EIP (Elastic IP. Looks like you just get a DNS route. Kind of cool.)
    • [Create a NAT Gateway]
      • Make note of your NAT Gateway ID if you have more than 1!
  • Edit Route Table to use the NAT Gateway
    • Destination: 0.0.0.0/0
    • Target: Nat Gateway ID

NAT Gateway Advantages

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-comparison.html

  • No need to disable the Source/Dest. Check
  • No need for a Security Group
  • NAT Instances become a Single Point of Failure
  • Auto H/A – No Single Point of Failure
  • 10Gbps Burst

Bastion Hosts (Jump Boxes)

  • Instances that have been hardened and provisioned for the purpose of providing administration to non-public facing instances are known as Bastions.

Exam Tips

  • Nat Instances
    • Must disable the Source/Dest. check
    • Must be deployed in the Public subnet
    • Must be a route out of the Private subnet to the NAT Instance
    • Traffic supported depends on the instance size.  If bottlenecking, increase the Instance size.
    • Can create HA using:
      • AutoScaling groups
      • Multiple Public subnets in different AZs
      • A script to automate failover
    • Are always behind a Security Group
  • NAT Gateways
    • Preferred by Enterprise
    • Scale automatically up to 10Gbps
    • No need to patch
    • No associated Security Groups
    • Require a public IP
    • No Source/Destination checks
    • Must be a route out of the Private subnet to the NAT Gateway

 

LEAVE A COMMENT