NAT stands for Network Address Translation.
We launch many instances in private subnet in the VPC for security reasons. These instances cannot communicate with the internet. But there are many scenarios when these instances need to connect to internet like for patch updates, software installation, connection to Git repository etc. In these scenarios we need to make these instances communicate with the internet.
NAT Instances and NAT Gateways come handy in these cases. These allow only outbound traffic to internet and restrict inbound traffic from internet. It means our instances in the private subnet can make connection to internet but nobody from the internet can access our instances in private subnet.
Below are some basic points and differences between NAT Instances and NAT Gateways:
NAT Instances
1. NAT instance is like an EC2 instance and is also launched like an EC2 instance from AWS console.
2. It should always be launched in the public subnet.
3. Once launched, you need to manually disable source/destination check (this option is available under Actions >> Networking). This is because, it will be sending and receiving traffic on behalf of other instances, so the source and/or destination might not be itself.
4. You need to manage this instance yourself like you manage your EC2 instances.
5. NAT instance should be assigned an Elastic IP (but you can also use public IP).
NAT Gateway
1. Managed by AWS (you need to manage NAT instances yourself).
2. Always deploy your NAT Gateway in public subnet.
3. You must allocate Elastic IP to your NAT Gateway (you can allocate public IP to NAT instances).
4. In the main Route Table of your VPC (or the Route Table connected to private subnet), add a route out to this NAT Gateway. Set Destination as 0.0.0.0/0 and set target as NAT Gateway.
5. You cannot assign security groups to NAT Gateway (you can assign security groups to NAT instances).
6. You need one in each AZ since they only operate in a single AZ.
Note: Both NAT Instances and NAT Gateway only support IPv4 traffic (not IPv6).
Documentation: NAT Instances, NAT Gateway, Difference between NAT Instance and NAT Gateway
We launch many instances in private subnet in the VPC for security reasons. These instances cannot communicate with the internet. But there are many scenarios when these instances need to connect to internet like for patch updates, software installation, connection to Git repository etc. In these scenarios we need to make these instances communicate with the internet.
NAT Instances and NAT Gateways come handy in these cases. These allow only outbound traffic to internet and restrict inbound traffic from internet. It means our instances in the private subnet can make connection to internet but nobody from the internet can access our instances in private subnet.
Below are some basic points and differences between NAT Instances and NAT Gateways:
NAT Instances
1. NAT instance is like an EC2 instance and is also launched like an EC2 instance from AWS console.
2. It should always be launched in the public subnet.
3. Once launched, you need to manually disable source/destination check (this option is available under Actions >> Networking). This is because, it will be sending and receiving traffic on behalf of other instances, so the source and/or destination might not be itself.
4. You need to manage this instance yourself like you manage your EC2 instances.
5. NAT instance should be assigned an Elastic IP (but you can also use public IP).
NAT Gateway
1. Managed by AWS (you need to manage NAT instances yourself).
2. Always deploy your NAT Gateway in public subnet.
3. You must allocate Elastic IP to your NAT Gateway (you can allocate public IP to NAT instances).
4. In the main Route Table of your VPC (or the Route Table connected to private subnet), add a route out to this NAT Gateway. Set Destination as 0.0.0.0/0 and set target as NAT Gateway.
5. You cannot assign security groups to NAT Gateway (you can assign security groups to NAT instances).
6. You need one in each AZ since they only operate in a single AZ.
Note: Both NAT Instances and NAT Gateway only support IPv4 traffic (not IPv6).
Documentation: NAT Instances, NAT Gateway, Difference between NAT Instance and NAT Gateway
No comments:
Post a Comment