Network Address Translation (NAT) Instances, NAT Gateways, Egress only Internet Gateways and Bastion Hosts
How to enable private subnet based EC2 instances access internet for downloading software and patches
Launch NAT instance from NAT AMI in public subnet
You need to disable source/destination check
Add a new route in the private subnet’s route table to send all traffic with destination 0.0.0.0/0 to the NAT instance (target)
Unlike internet gateway, NAT instance provides is one way access (Request and response) to internet meaning one can’t initiate connection over internet into private subnet
NAT Gateway (IPv4)
ipv4, highly available and redundant (unlike NAT inst.)
NO need to disable source/destination check
needs an elastic ip
Add a new route in the private subnet’s route table to send all traffic with destination 0.0.0.0/0 to the NAT gateway (target)
Egress only internet gateway (IPv6)
An egress-only internet gateway is for use with IPv6 traffic only. To enable outbound-only internet communication over IPv4, use a NAT gateway instead.
An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.
How to access your EC2 instances residing in a private subnet
using SSH/RDP over internet using Bastion hosts
Bastion hosts allow you to access EC2’s in private subnet thru SSH/RDP
Bastion hosts live in public subnets
ALLOW bastion host’s security group to SSH/RDP to your private subnet by modifying private subnet’s security group
Using AWS Systems Manager: SM is a Management Tool that enables you gain operational insights and take action on AWS resources safely and at scale. Using the run command, one of the automation features of Systems Manager, you can simplify management tasks by eliminating the need to use bastion hosts, SSH, or remote PowerShell.
If you have a running EC2, you can find what role it is using and attach a AWS policy called “AmazonEC2RoleforSSM” to the role. Remember you can attach multiple policies to a single role.
If you are launching a new EC2, you can create a new role for it use it after attaching “AmazonEC2RoleforSSM” policy