5

I have a public subnet in AWS and I have 3 instances in it ...

  1. WebApp01 (Elastic IP - 54.23.61.239 for example)
  2. WebApp02 (Private IP - 192.168.0.24)
  3. WebApp03 (Private IP - 192.168.0.25)

And my route table is setup as 192.168.0.0/16 -> local 0.0.0.0/0 -> Internet Gateway

I can see that the instance that has the public IP has internet access but the instances that don't have public IP are not able to access the internet.

How can I give internet access to the other instances inside the Public Subnet ?

I'm a newbie in networking and any help will be appreciated.

Just FYI : I know that creating a NAT, and then creating a separate route table with 0.0.0.0 -> NAT and associating that route with the Private Subnet gives internet access to the instances in the private subnet, but I cant figure out how to give internet access to the non public IP instances in the public subnet. Please help !

Tarunpreet Ubhi
  • 405
  • 1
  • 3
  • 18

1 Answers1

7

You will need to assign public IP addresses to your instances that do not have one or add an EIP in order for them to access the Internet.

An AWS Internet Gateway is a special type of NAT Gateway (1 - 1 address mapping). Without a public IP address there is nothing for the Internet Gateway to map to the EC2 instance - one public IP maps to one private IP inside the Internet Gateway.

Although you add a NAT Gateway to a public subnet with an Internet Gateway, the NAT Gateway does provide address translation (NAT) to instances in the public subnet - only to instances in the private subnets. The default route in each private subnet points to the NAT Gateway.

If you want these instances to be protected by only having private IP addresses then you will need to move the instances to a private subnet (one with a NAT Gateway).

An instance in a public subnet without a public IP address is orphaned from the Internet. The instance can talk to other instances in the VPC (the Intranet) but cannot talk to the Internet.

There is a lot of confusion on what are AWS VPC subnets. There are three types. 1) Public subnet (one that has an IGW). 2) Private subnet (one that has a NAT Gateway or NAT instance, or neither). 3) Hybrid (one that has a VGW routing to a data center or similar).

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • So according to your explanation, for a public subnet, I need to have public or elastic IP addresses for all the instances in that subnet for which I want internet access on. Else I need to move them to another subnet and then use the NAT. But there is no way that I can have the private instances in the subnet (non public or elastic IP addresses) access the internet because the AWS IGW is a special gateway with a 1:1 mapping for the public to private IP ... I think I understand now. Thanks :) – Tarunpreet Ubhi Jul 21 '18 at 07:35
  • Can you elaborate a little bit on "You cannot add a NAT Gateway to a subnet with an Internet Gateway (you cannot have two default routes)." ? By my knowledge, you always add your NAT gateway to the Public Subnet and then route your private subnets through this NAT, isn't that the case ? – Tarunpreet Ubhi Jul 21 '18 at 07:44
  • 1
    @TarunpreetUbhi yes: although the definition is not completely precise, we can define a "public subnet" as a subnet where instances are expected to have public IP addresses and a "private subnet" as a subnet where they are not. Deviating from this strategy is ill-advised and does not work because your observation about the Internet Gateway's 1:1 mapping is correct. NAT Gateways are always "located on" public subnets (so they themselves can access the internet; they always have EIPs), but they "provide services to" private subnets via route table entries that point to them. – Michael - sqlbot Jul 21 '18 at 14:12
  • 1
    @Michael-sqlbot - I was trying too hard to simplify my explanation. I should have said that you cannot have add a NAT Gateway in a public subnet providing address translation for instances in the public subnet, only to instances in private subnets. I will modify my answer to be clear in this respect. – John Hanley Jul 21 '18 at 15:11
  • Thanks for your answer @JohnHanley. Is there any specific reason behind keeping IGW as 1:1 mapping rather than having a full NAT gateway? Why have two components instead of only one? Apologies, if this is a very basic question, I'm not a networking expert but want to understand a bit more on "why". – Ganesh Satpute Aug 05 '20 at 13:47
  • Networking is virtualized in the cloud. A one-to-one NAT is different than a traditional NAT gateway. The second adds port translation (mapping) in addition to address mapping. A NAT gateway typically requires more "CPU" power than a one-to-one NAT. – John Hanley Aug 05 '20 at 17:43