← Back to Labs
Intermediate01:30:00

Creating NAT Gateways in AWS

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8Task 9Task 10Task 11Task 12
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page,
  3. Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  4. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  5. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
  6. Note : If you face any issues, please go through FAQs and Troubleshooting for Labs.
Task 2

Task 2 : Create a VPC

↑ Top
  1. In this task, we are going to create a Virtual Private Cloud (VPC), which provides a logically isolated section of the AWS cloud where users can launch resources such as instances, subnets, and gateways.
  2. Make sure you are in the US East (N. Virginia) us-east-1 region.
  3. Navigate to VPC under the services menu. Click on Your VPCs.
  4. Click on Create VPC button.
  5. Resources to create : Select VPC Only
  6. Name Tag : Enter MyVPC
  7. IPv4 CIDR block : Enter 10.0.0.0/16 (You can also put any other CIDR range)
  8. IPv6 CIDR block : Select No IPv6 CIDR Block
  9. Tenancy : Default
  10. Click on Create VPC.
  11. The VPC is now created.
Task 3

Task 3 : Create Public and Private Subnets

↑ Top
  1. In this task, we are going to create both public and private subnets within the VPC. Public subnets have internet connectivity, while private subnets do not have direct internet access.
  2. Navigate to Subnets in the left panel of the VPC page.
  3. Let's create a Public subnet. Click on Create Subnet button.
  4. VPC ID : select MyVPC
  5. Subnet Name : Enter MyPublicSubnet
  6. Availability Zone : No Preference
  7. IPv4 CIDR block : Enter 10.0.0.0/24
  8. Click on Create subnet button.
  9. Let's enable Auto Assign public IP to Instances created within this subnet,
  10. Select MyPublicSubnet , Click on Actions.
  11. Click on Edit subnet settings.
  12. Enable auto-assign public IPv4 address : Check
  13. Click on Save.
  14. Now, the Instances launched inside the MyPublicSubnet will have Public IPs assigned to them by default.
  15. Let’s create a private subnet. Click on Create subnet.
  16. VPC ID : select MyVPC
  17. Subnet Name : Enter MyPrivateSubnet
  18. Availability Zone : No Preference
  19. IPv4 CIDR block : Enter 10.0.1.0/24
  20. Click on Create subnet button.
  21. Now, two subnets are created.
Task 4

Task 4 : Create Internet Gateway

↑ Top
  1. In this task, we are going to create an Internet Gateway, which acts as a bridge between the VPC and the internet, allowing instances in the VPC to communicate with the internet.
  2. Navigate Internet Gateways in the left panel of the VPC page.
  3. Click on Create Internet gateway button.
  4. Name tag : Enter MyIGW
  5. Click on Create internet gateway button.
  6. An Internet Gateway is now created.
  7. To attach an Internet Gateway to a VPC,
  8. Click on Actions, Select Attach to VPC.
  9. VPC : Select MyVPC
  10. Click on Attach internet gateway.
  11. Now MyIGW is attached to MyVPC.
Task 5

Task 5 : Create Public Route Table and Configure

↑ Top
  1. In this task, we are going to create a public route table and configure it to associate with the public subnet. The public route table defines how traffic is routed between the VPC and the internet.
  2. Navigate to Route Table in the left panel of the VPC page.
  3. Click on Create route table button
  4. Name tag : Enter PublicRouteTable
  5. VPC : Select MyVPC
  6. Click on Create route table button.
  7. A route table by name PublicRouteTable will be created.
  8. To attach an Internet Gateway, select PublicRouteTable.
  9. In the Routes tab below:
  10. Click on Edit routes.
  11. On the next page, click on Add route
  12. Destination : Enter 0.0.0.0/0
  13. Target : Select Internet Gateway, and once the internet gateways have been created, select MyIGW
  14. Click on Save changes.
  15. To associate the Public Subnet to the route table, Select PublicRouteTable.
  16. Click on the Subnet Associations tab.
  17. Click on Edit subnet associations.
  18. On the next page, select MyPublicSubnet from the list displayed.
  19. Click on Save associations.
  20. Once all the configurations are completed, it should look like below:
  21. Now the Instances launched within MyPublicSubnet will have access to the Internet.
  22. As you can see, there is another existing route table already available for MyVPC. It is a main route table created at the time the VPC was created. We will use it while creating the NAT Gateway.
Task 6

Task 6 : Launch an EC2 Instance in Public Subnet

↑ Top
  1. In this task, we are going to launch an EC2 instance in the public subnet. This allows users to have a publicly accessible instance that can directly communicate with the internet.
  2. Make sure you are in the N.Virginia region.
  3. Navigate to the Services menu in the top, click on EC2 in the Compute section.
  4. Navigate to Instances on the left panel and click on Launch instances button
  5. Name : Enter MyPublicServer
  6. For Amazon Machine Image (AMI): Search for Amazon Linux 2023 AMI in the search box and click on the select button.
  7. For Instance Type: select t2.micro
  8. For Key pair: Select Create a new key pair Button
  9. Key pair name: MyKey
  10. Key pair type: RSA
  11. Private key file format: .pem
  12. Select Create key pair Button.
  13. In Network Settings Click on Edit:
  14. VPC : Select MyVPC
  15. Subnet : Select MyPublicSubnet
  16. Auto-assign public IP: Enable
  17. Select Create new Security group
  18. Security group name : Enter MyEC2Server_SG
  19. Description : Enter Security Group to allow traffic to EC2
  20. To add SSH
  21. Choose Type:
  22. Select SSH
  23. Source: Select Anywhere
  24. Keep Rest thing Default and Click on Launch Instance Button.
  25. Select View all Instances to View Instance you Created
  26. Launch Status: Your instance is now launching, Select the instance and wait for it to change status to Running.
Task 7

Task 7 : Launch an EC2 Instance in Private Subnet

↑ Top
  1. In this task, we are going to launch an EC2 instance in the private subnet. This demonstrates the concept of a private subnet, which does not have direct internet access.
  2. Click on Launch instances.
  3. Name : Enter MyPrivateServer
  4. For Amazon Machine Image (AMI): Search for Amazon Linux 2023 AMI in the search box and click on the select button.
  5. For Instance Type: select t2.micro
  6. For Key pair: Select the key pair you created before
  7. In Network Settings Click on Edit:
  8. VPC : Select MyVPC
  9. Subnet : Select MyPrivateSubnet
  10. Auto-assign public IP: Disable
  11. Select Select existing security group
  12. Select MyEC2Server_SG
  13. Keep Rest thing Default and Click on Launch Instance Button.
  14. Select View all Instances to View Instance you Created
  15. Launch Status: Your instance is now launching, Select the instance and wait for it to change status to Running.
  16. Note the Private IP Address of MyPrivateServer : Example 10.0.1.45
Task 8

Task 8 : SSH into Public and Private EC2 Instance and Test Internet Connectivity

↑ Top
  1. In this task, we are going to establish SSH connections to both the public and private EC2 instances. By testing internet connectivity from both instances, users can verify if the public instance has internet access and the private instance does not.
  2. SSH into MyPublicServer Instance. Follow the below steps
  3. Once the instance is created. Select the instance MyPublicServer.Click on connect button
  4. Now select the EC2 instance connect option. You can see there are four options for connecting to EC2. You can use any of the given options to get in the console but for our lab, we are using EC2 instance connect.
  5. A new tab would be opened in your browser where we can see the console.
  6. Switch to root user:
  7. sudo su
  8. Run the updates using the following command:
  9. yum -y update
  10. Since the Internet Gateway MyIGW is connected to MyPublicSubnet, updates will be completed successfully.
  11. Let’s SSH into MyPrivateEC2Server from MyPublicEC2Server.
  12. In order to SSH into MyPrivateEC2Server, first, we need to create the PEM file in the public EC2 ie, MyPublicEC2Server, and copy the data from our MyKey.pem in the local machine.
  13. We need MyKey.pem in order to SSH. We shall copy key details from the MyKey.pem from your local machine (which was downloaded earlier while launching EC2 instances).
  14. To copy the contents of the MyKey.pem, open the file in a text editor and copy the whole content.
  15. To create the MyKey.pem in MyPublicEC2Server, run
  16. vi MyKey.pem
  17. Now press the following for inserting the data(You can see insert popped at the last then you can paste the key).
  18. Click i
  19. Note: In the editor, copy and paste the key that looks similar to the example below:
  20. Save the File
  21. click esc
  22. :wq
  23. Check that the file was created correctly.
  24. ls
  25. Update Permissions for the MyKey.pem
  26. chmod 400 MyKey.pem
  27. Use the Private IP address of MyPrivateEC2Server to SSH.
  28. ssh ec2-user@<Private IP of MyPrivateEC2Server> -i MyKey.pem
  29. Note: Incase if this message shows Are you sure you want to continue connecting (yes/no)? : Enter yes
  30. Switch to root user
  31. sudo su
  32. Run the updates using the following command:
  33. yum -y update
  34. Since no internet access is provided for EC2 instances in a private subnet, you will not be able to get updates.
Task 9

Task 9 : Create a NAT Gateway

↑ Top
  1. In this task, we are going to create a NAT Gateway, which provides internet access to instances in the private subnet. The NAT Gateway acts as a middleman to forward traffic between the private subnet and the internet.
  2. Navigate to the VPC Page.
  3. Make sure you are still in the N.Virginia Region.
  4. In the Left Panel, click on NAT Gateways.
  5. Click on Create NAT gateway button.
  6. Name : Enter MyNATGateway
  7. VPC: Choose MyVPC
  8. Connectivity type: Public and Method of Elastic IP: Automatic.
  9. Once the new Elastic IP is allocated, click on Create NAT gateway.
  10. Note that NAT Gateway is always created in a public subnet.
  11. NAT Gateway will be created in a few minutes. Once created, the status will change to available.
Task 10

Task 10 : Update Route table and configure NAT Gateway

↑ Top
  1. In this task, we are going to update the route table associated with the private subnet to include the NAT Gateway as the target for internet-bound traffic. This ensures that traffic from the private subnet is directed through the NAT Gateway for internet access.
  2. Navigate to Route Tables in the left panel.
  3. You can see two Route Tables available for MyVPC
  4. To attach Nat Gateway, select the Main Route Table (which is different from the one created by you).
  5. In the Routes tab below,
  6. Click on Edit routes.
  7. In the next page, Click on Add route
  8. Destination: Enter 0.0.0.0/0
  9. Target: Select NAT Gateway, and once the internet gateways have loaded, select the NAT Gateway you created.
  10. Click on Save changes.
  11. Once all the configurations are completed, it should look like below.
  12. Now the Instances launched within MyPrivateSubnet can access the Internet through the NAT Gateway.
Task 11

Task 11 : Test Internet connection from Instance inside Private Subnet

↑ Top
  1. In this task, we are going to validate that the instance in the private subnet can successfully establish an internet connection by accessing the internet through the NAT Gateway.
  2. SSH back into MyPublicEC2Server .
  3. Switch to root user
  4. sudo su
  5. SSH into MyPrivateEC2Server
  6. ssh ec2-user@<Private IP of MyPrivateEC2Server> -i MyKey.pem
  7. Switch to root user
  8. sudo su
  9. Run the updates using the following command:
  10. yum -y update
  11. You can see that the updates have been completed successfully in the terminal.
  12. This shows that MyPrivateEC2Server has internet access.
  13. Use exit command to close the private server connection.
  14. Do You Know?
  15. NAT Gateway allows for high scalability and can handle thousands to tens of thousands of concurrent connections per second. It is designed to handle significant traffic loads and provides automatic scaling based on the demand. This means that as your network traffic increases, AWS automatically scales up the NAT Gateway capacity to accommodate the higher workload. This scalability feature ensures that your instances in the private subnet can maintain reliable and efficient internet connectivity, even during periods of high demand or traffic spikes.
Task 12

Task 12 : Validation Test

↑ Top
  1. Once the lab steps are completed, please click on the Validation button on the left side panel.
  2. This will validate the resources in the AWS account and shows you whether you have completed this lab successfully or not.
  3. Sample output :
  4. Completion and Conclusion
  5. You have successfully created a new VPC from scratch and created both public and private subnets.
  6. You have created an Internet Gateway and configured a new route table.
  7. You have launched 1 EC2 instance each of the Public and Private subnets and tested Internet access from them.
  8. To provide Internet access to the EC2 instance in the Private subnet, you created a NAT Gateway and configured a Route table.
  9. You confirmed that the instance in the private subnet is able to connect to the internet.
  10. End Lab
  11. Sign out of AWS Account.
  12. You have successfully completed the lab.
  13. Once you have completed the steps, click on End Lab from the lab console.
← Back to Labs