2

I have seen this question : Static IP address for outgoing traffic from AWS autoscaling group but it doesnt seem to fit exactly what im trying to do.

Here's the scenario:

I have a autoscaling group of web servers that receive traffic from an ELB. This is working fine for incoming web traffic.

The issue is that i have a number of outside services that these web servers need to connect to. These services require that i provide the vendor an IP address so they can whitelist my servers making the requests. I am trying to create a NAT instance so outbound requests coming from these web servers will all appear to be coming from one IP (since the scaling group could have any IP that is auto assigned).

All the scenarios from AWS revolve around giving a private subnet access to the internet through a NAT. In this case, i need to only route requests originating from these boxes through the NAT. incoming web traffic should still work like normal with the responses passing directly through the internet gateway.

When i try to set this up, by modifying the main route table to send outbound traffic through the NAT, everything stops working (i assume because there is no rule for routing traffic through the internet gateway since i just changed it to the NAT)

Hopefully this makes sense. Any suggestions would be greatly appreciated.

Community
  • 1
gmorse
  • 23
  • 3

1 Answers1

4

The NAT instance is the correct solution to the situation you are in, but I suspect you have made a common provisioning error -- you have your web server instances on the same subnet as your ELB.

It's intuitive to do it that way, but it's not correct, unless your web servers also have their own public IP addresses.

I assume this, because otherwise there's no reason for your web servers not to be able to reply to requests when you change their default routes -- the web servers don't talk to the browsers, they talk only to the ELB -- so what's technically breaking when you change the default route is that the ELBs can no longer route back to the browsers.

The correct configuration is to place the ELB on a public subnet -- which uses the Internet Gateway as its default route, and the web servers on a private subnet -- which uses a NAT instance as its default route. The NAT instance, itself, also goes on a public subnet, of course.

See VPC public subnet internet access with ELB hooked up.

While this AWS document is about Elastic Beanstalk, the illustration is still relevant. The ELB is shown in a public subnet, along with a NAT instance, and the web servers are in a private subnet.

See also Why do we need private subnet in VPC?

Community
  • 1
Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81