Scribd Logo
Upload

Welcome to Scribd!

  • 17 views

    AWS Create Private Subnets and NAT Gateway

    Uploaded by

    Christos Athanasopoulos
    The customer wishes to deploy some services in private subnets and some in public subnets in their VPC without reinstalling existing resources. There are two options to convert a public subnet to private: 1) Create a new private subnet and deploy services there, or 2) Convert the existing public subnet by creating a NAT gateway, routing table, and disabling auto-assign public IPs for the subnet. The NAT gateway allows private instances to access the internet while preventing external access. Associating the subnet with the new routing table makes it private.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    AWS Create Private Subnets and NAT Gateway

    Uploaded by

    Christos Athanasopoulos
    17 views2 pages
    The customer wishes to deploy some services in private subnets and some in public subnets in their VPC without reinstalling existing resources. There are two options to convert a public subnet to private: 1) Create a new private subnet and deploy services there, or 2) Convert the existing public subnet by creating a NAT gateway, routing table, and disabling auto-assign public IPs for the subnet. The NAT gateway allows private instances to access the internet while preventing external access. Associating the subnet with the new routing table makes it private.

    Original Description:

    How to create Private subnets and NAT gateway at AWS

    Original Title

    AWS create Private Subnets and NAT gateway

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The customer wishes to deploy some services in private subnets and some in public subnets in their VPC without reinstalling existing resources. There are two options to convert a public subnet to private: 1) Create a new private subnet and deploy services there, or 2) Convert the existing public subnet by creating a NAT gateway, routing table, and disabling auto-assign public IPs for the subnet. The NAT gateway allows private instances to access the internet while preventing external access. Associating the subnet with the new routing table makes it private.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    17 views2 pages

    AWS Create Private Subnets and NAT Gateway

    Uploaded by

    Christos Athanasopoulos
    The customer wishes to deploy some services in private subnets and some in public subnets in their VPC without reinstalling existing resources. There are two options to convert a public subnet to private: 1) Create a new private subnet and deploy services there, or 2) Convert the existing public subnet by creating a NAT gateway, routing table, and disabling auto-assign public IPs for the subnet. The NAT gateway allows private instances to access the internet while preventing external access. Associating the subnet with the new routing table makes it private.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    From the case correspondence, I understand that you wish to deploy some services in

    private subnet and some in public and since you have already deployed some resources in
    the default public subnet you wish make the subnet private without reinstalling any of those
    services. Please correct me if my understanding is incorrect. With regards to your
    requirement, let me first confirm the definition of a public and private subnet. A subnet is
    considered a public subnet if, and only if, it has a default route to the IGW. If there is a
    default route pointing anywhere else the subnet is then considered private. The reasoning
    behind this definition is that the public IPs of the instances, even if using EIPs, reside on the
    IGW where the inbound NAT translation happens. Without a return route to the IGW any
    internet initiated traffic cannot return to the original sender with the relevant identifiable
    IP/Port information and so connectivity using the instances’ public IP is no longer possible.
    It’s important to take note however, that packets that are sent to the public IP of an instance
    in a private subnet will still reach the instance, but as the return traffic will not go to the IGW
    the connection attempt will always timeout from the perspective of the initiator. More on this
    below under section 2c. Hence you have two option to achieve this task.

    1.Deploy a new subnets in the same VPC and make it private and then deploy new services.
    This is straight forward and involves overlapping steps on the second case.

    or 2. Convert Public Subnet to Private : a) Create a NAT gateway: A NAT gateway is a


    Network Address Translation (NAT) service. You can use a NAT gateway so that instances in
    a private subnet can connect to services outside your VPC but external services cannot
    initiate a connection with those instances. Please refer to this link[1] for more details. b)
    Create a routing table, associate it with the subnet that you wish make private subnet. This
    step will convert your subnet to a private subnet and break any connectivity via the public
    IPs associated with your instances. In the mentioned VPC vpc-0bc8c3de7dcc6dd0a I notice
    3 default subnets "subnet-02880e97b5e9d3d1d", "subnet-061ce1660303b85a0" and
    "subnet-0b4ab2a3be789957d" . All these subnets are associated with the main route table
    "rtb-081b52ca7bb3675a8". The main route table contains a default route to internet gateway
    which should not be present for a private subnet. Hence we would have to replace the main
    routing table association for the private subnets with a custom routing table. Hence navigate
    to Routing table section under VPC and create a new Routing table. In case you need the
    resources on your private subnet to have access to Internet you would need to add default
    route entry to the Nat Gateway. Then navigate to the Subnet section, select the subnet and
    Click Action and select "edit route table association" and associate the custom route table.
    Please refer to the link [2] for detailed process. c) Disable auto-assign public ip settings for
    the private subnets. This is a great idea for subnets that you wish to make private. The result
    being that no packet from the internet will arrive on your server, such as SYN packets for
    TCP based connection attempts, as there is no associated public IP NAT mapping. DDOS
    attacks such as SYN floods are still possible unless this step is taken. It is therefore a great
    idea to move forward with this if public IPs are not required. You can find the process to
    complete this task here [3].
    I would also advise you to lock down the Security Groups and NACLS to only allow access
    from the local VPC. I hope this information has been helpful, please don't hesitate to reach
    out to me if you have any follow up questions. [1] Create a NAT gateway:
    https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html [2] Access the
    internet from a private subnet: https://docs.aws.amazon.com/vpc/latest/userguide/nat-
    gateway-scenarios.html#public-nat-internet-access [3] Modify the public IPv4 addressing
    attribute for your subnet : https://docs.aws.amazon.com/vpc/latest/userguide/working-with-
    subnets.html

    You might also like