In my last post we have configured a VPC with a single public subnet by using wizard. In this post, we will add a private subnet to our VPC and configure a NAT server manually. After adding our subnet and enable our instances to reach the internet , next step will be adding a hardware vpn. In my last blog I had created a VPC with 22.214.171.124/16 block and a subnet 126.96.36.199/24 (Subnet_for_webservers). Now let’s create our second subnet.
When we click the “Create Subnet” button , as you see, it asks for a name of the subnet, the name of the VPC we will create a subnet in, the availability zone (remember that it is important to choose a different AZ for HA solutions) and the range.
We will use the settings below.
Name tag: Subnet_for_dbservers
CIDR block: 188.8.131.52/24
Now we’ve created our subnet and we have to check the status and the route table . As you see below, it uses our default route table and the route table says that only the instances in that subnet can communicate with each other (There is no route for outbound and inbound).
Remember that if we add a default route to our subnet it will change to a public subnet (the difference between subnet and private is there is a 0.0.0.0/0 route and the target is
igw-89dfcdeb , our internet gateway). You can imagine that if we create a NAT server and create a route for 0.0.0.0/0 and configure our target as NAT server, instances in our private subnet will be able to reach the internet. So our next step is create a NAT server. If you configured your VPC by using wizard, it will automatically create your NAT server. In our case we have to create it manually. On our VPC dashboard, you can launch an instance and use search to find a NAT server. I will use amzn-ami-vpc-nat-pv-2013.09.0.x86_64-ebs – ami-f3e30084 as a NAT server.
When we launch our NAT instance ,there are some steps we have to be careful:
1- We have to choose our correct VPC (in our case it is demo_vpc)
2- Second we have to choose our public subnet(subnet_for_webservers)
3- We have to assign a public ip address. Wizard lets us to choose. Also we can use an EIP later
4- We should disable “source/destination check” on our NAT instance
5- Configure security group for your NAT server (Allow only what you need)
After you launched your instance, you can connect to it and if it is ok, you can add a route for our private subnet (If you have trouble to connect to your NAT instance , you can check your security group). Now we will add a new route table for our subnet and configure it that all internet traffic (0.0.0.0/0) will go to our NAT instance.
As you see it is only routed in locally and the subnet association is empty. We will add a route and associate the table with our db_server subnet.
When we edit the route table our NAT server can be added as a target. And in subnet association, we can choose our db_server subnet.
Last step is to configure a security group for your instance. For example if these instances in our db_server subnet runs mysql you should create seperate security groups for your NAT and db_servers subnet. You can check the necessary configuration in aws example.
If you have any question or comment please feel free to write.