Understanding NAT Gateways – AWS Training

Understanding NAT Gateways - AWS Training

hello before we start I would like to introduce myself my name is Stuart Scott I'm one of their trainers here at cloud Academy specializing in AWS I know let's talk to you about an that gateway to help explain what this does let me just draw out our VP see quickly so we have a very simple V PC and we'll have two subnets in this V PC we'll have our public subnet and also we'll have a private subnet as well and it's the private subject that we're going to be focusing on so this will be our public and the green one will be our private subnet now obviously we'll have an Internet gateway attached to our V PC which will then connect out to the Internet okay so we have a public subnet and a private subnet now in our private subnet we'll have a number of ec2 instances running our applications and in our public subnet we'll likely to have a number of web servers as well as we know each of these subnets also have a root table attached public root table will have access to the Internet gateway and also to the other private subnet now I need to start thinking about security again now looking at our ec2 instances in the private subnet we are responsible as a part of the AWS shared responsibilities model to update and patch the operating systems running on each of our ec2 instances now if you're not familiar with the AWS shared responsibilities model I suggest you take a look at it it's critical to all of your AWS deployments and it essentially defines the boundaries of security as to what your walls and responsibilities are of implementing security within the cloud and what AWS is responsibility is of maintaining security of the cloud okay so with that in mind if we have the responsibility of maintaining the operating systems of our ec2 instances then we need to be able to download updates as and when we need to however this subnet is private meaning it has no access to the Internet gateway and therefore the internet so how can we download those updates well what we can do we can add a NAT gateway now on that Gateway to sit within the public subnet because it sits within the public subnet it has to have a public IP address in the form of an AIP which is an elastic IP address and this is assigned to the instance itself now because it sits within the public subnet it has a route out to the Internet gateway and to the Internet now once we have our nat gateway setup and configured we need to update the route table of our private subnet now by default our route table in our private something it will just have the local route that all route tables have but if we update that to provide a route to the net gateway we can see that I've added this additional route in here now this looks very familiar to the route we add to the public subnet to get access to the Internet via the Internet gateway and it is essentially the same so we'll add the 0 dot 0 dot 0 the 0 slash 0 which is essentially a destination to any IP address unknown in the route table already then send it to the target of the NAT gateway and they can tell us in that gateway as this first part here is prefixed with net and then this section along here is essentially the ID of the net gateway within your VPC so what this route table is telling us is that if any resource within this subnet needs to gain access to the Internet to perform an update then it can do so via our NAT over here this net gateway will then take the request Doe via the Internet gateway and download the appropriate software that's required and send it back to the ec2 instance requesting it now the important thing within that gateway is that it will not accept any inbound communication initiated from the internet it will only accept outbound communications originating from within your V PC so all denied all inbound traffic that has been initiated from the internet now then that gateway itself is managed by AWS so you don't have to provision the instance itself it's very easy to do you simply create than that gateway specify what subnet it should reside in an association in lastik IP address an AWS form all other configuration because it's managed by default AWS will set up multiple in that gateways for resiliency but you learn to see the one that Gateway within your account with the associated ID now earlier I mentioned about configuring your resources across multi availability zones so if you have multiple public subnets in different availability zones you will need to set up another NAT gateway within that subnet as well AWS will not automatically deploy and that gateway within each of your public subnets so just as a quick summary a net gateway allows instances within a private subnet access to the Internet but the NAP gateway itself will block all incoming initiations from the internet so it protects the private subnet in that way and this allows you to ensure that you maintain security of your ec2 instances ensuring that there RS is kept up to date and any patch management is taken care of as well I hope you enjoyed this video if you want to view the complete course visit cloud Academy com

Leave a Reply

Your email address will not be published. Required fields are marked *