How to access internet from EC2 instance in private subnet?
5 min read. Sep 23, 2022
So you've launched EC2 instance in private subnet to disable public access for security reasons. However, you realized later that you actually need internet access on your EC2 instance to install packages and run software updates. If you have encountered this issue then go nowhere, you're in the right place.
Allowing internet access to instances in private subnet is done via Network Address Translation (NAT) which is a techinque that allows the instances without public IP to send outbound traffic to the internet. Therefore, it is required to create a NAT gateway on the public subnet as only resouces on public subnet can access the internet directly.
The following steps can be followed to allow internet access to the EC2 instances in private subnet:
- Create NAT gateway in public subnet and associate an elastic IP
- Add routing via NAT gateway on private subnet routing table
- Configure security group for instance on private subnet (optional)
This article assumes that you've created a VPC with a public and private subnet. In addition, it is also assumed that one EC2 instance in each private and public subnet has also been launched.
Create NAT gateway in public subnet and associate an elastic IP
The first step is to create NAT gateway on the public subnet.
1. Search for "VPC" on the search bar of AWS console, and click on the VPC link.
2. On the left sidebar, click on NAT gateway within Virtual private cloud section.
3. Click on Create NAT Gateway link on the top right corner.
4. Assign an appropriate name, select your public subnet, select public availability type and click on Allocate Elastic IP link.
5. Finally, click on create NAT gateway link
If you encounter an issue with error The maximum number of addresses has been reached then you need to release the IP address
Add routing via NAT gateway on private subnet routing table
The next step is to add an entry of NAT gateway on the private subnet's routing table.
1. Go to VPC dashboard on AWS console and click on subnets
2. Find your private subnet and click on it's routing table (Entry under Route table column)
3. Under Routes section tab, click on Edit routes button
4. Click on Add route button and enter 0.0.0.0/0 as destination and recently created NAT gateway as Target
5. Save the changes
Configure security groups and network ACLs (optional)
Most of the time, the security groups on EC2 instances and the access control lists on subnets shouldn't be an issue unless they're strictly configured. Hence, this is an optional step.
If you have configured strict security groups and network ACLs policy then you need to allow the following inbound and outbound rules.
Security groups on EC2 instance on private subnet
Inbound rules
| Type | Protocol | Port | Source |
| SSH | TCP | 22 | 0.0.0.0/0 |
Outbound rules
| Type | Protocol | Port | Destination |
| HTTP | TCP | 80 | 0.0.0.0/0 |
| HTTPS | TCP | 443 | 0.0.0.0/0 |
Security groups on EC2 instance on public subnet
Inbound rules
| Type | Protocol | Port | Source |
| SSH | TCP | 22 | 0.0.0.0/0 |
Outbound rules
| Type | Protocol | Port | Destination |
| SSH | TCP | 22 | 0.0.0.0/0 |
Network ACLs on private subnet and public subnet
Inbound rules
| #Rule | Type | Protocol | Port range | Source | Allow/Deny |
| * | All traffic | All | All | 0.0.0.0/0 | Allow |
| * | All traffic | All | All | 0.0.0.0/0 | Deny |
Outbound rules
| #Rule | Type | Protocol | Port range | Dest | Allow/Deny |
| * | All traffic | All | All | 0.0.0.0/0 | Allow |
| * | All traffic | All | All | 0.0.0.0/0 | Deny |
Disclaimer: The above network ACLs is less restrictive. If you want to create more restrictive ACLs depending on your needs then please refer to this AWS link.
Testing internet access
1. SSH into your private instance via bastion host (instance on public subnet)
2. Type curl google.com
You should see following output on the console:
Wrapping up
Allowing outbound internet access to the EC2 instances on private subnets can be easily done via NAT gateway which must be created on the public subnet. In addition, you need to create an entry on the routing table of the private subnet via NAT gateway. Lastly, you may need to update security groups and network ACLs depending on your network configuration.
Rererences
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html