4
  • I have a public subnet(S1) with a route pointing to the internet gateway in its route table.
  • Launched an ec2 instance(I1) inside S1 but did not allocate a public IP to it, thereby the instance only has a private IP address and cannot be reached from the internet.
  • I have setup path based routing from my gateway to the instance(I1) which works just fine, meaning requests to the gateway are being served without hindrances.
  • The problem is I need to access some resource in the internet from my instance I1 but the instance should not be reachable from outside.

Am I wrong in thinking that the instance could communicate to the internet via the gateway(Just like how a mobile with a private IP inside a wifi network talks to the internet via the access point's public IP)?!

Just wanted to know if this case can be achieved without assigning a public IP/Elastic IP to my instance because you need internet access for installing any software too, how would people implement this requirement?!

NOTE: For private subnets NAT gateway works just fine but this is a public subnet, if you point it to a NAT gateway, you need to remove the route pointing to internet gateway, meaning my gateway will not be able to communicate with my instance(Because ALB/Gateway only communicates to instances ina public subnet in AWS?!)

P.S.: Beginner in aws, please don't abuse for any knowledge-gaps, thanks in advance.

--Yash

Yasasvee
  • 45
  • 1
  • 1
  • 4
  • Public instances are meant to have a public IP with security groups that control access. If all you have is a private IP then you have to have a NAT gateway. That is true, universally, for all hosts on the internet. There are several things you can do to work around routing issues. But, you have fundamentally designed your framework wrong. If the instance needs to be private, behind a NAT gateway, then move it to a private subnet with a NAT gateway. That is the solution. – Appleoddity Feb 06 '18 at 04:15
  • I get your point, but my gateway needs to communicate with my instance that is why I cannot move it into a private subnet and point it to a NAT gateway. But how is the usual scenario?! Will people not have a requirement to install/update any software in machines with private IP at all, in which case it needs to communicate to the internet?! – Yasasvee Feb 06 '18 at 04:43
  • *"Because ALB/Gateway only communicates to instances in a public subnet in AWS?!"* is incorrect. Place the ALB itself in the public subnets, leaving the instances in the private subnets. – Michael - sqlbot Feb 06 '18 at 19:18

1 Answers1

6

You are misunderstanding / misusing Public and Private subnets.

A public subnet has an Internet gateway (IGW). Instances in the public subnet need public IP addresses to access the Internet.

A private subnet has a NAT Gateway or NAT Instance. Instances in a private subnet do not have public IP addresses.

In summary: if a subnet has an IGW it is a public subnet. If a subnet has a NAT it is a private subnet.

Solution for your issue:

  1. Create a new subnet.
  2. Create a NAT Gateway. Assign the NAT Gateway to the subnet.
  3. Create an AMI for each of your instances that you need to move to the private subnet and then shut those instances down. Later you can terminate them but wait until you know that the following steps completed correctly.
  4. Launch new EC2 instances from each of the AMIs that you created in step #3.
  5. Verify everything is working. Then terminate the old instances. Your AMIs also serve as backups for those instances.

What helps with your requirement is:

"You can use public IP addresses on your instance and then lock them down with security groups. The risk depends on what type of access is allowed and from where."

John Hanley
  • 4,287
  • 1
  • 9
  • 20
  • Or is it okay if I allocate public IP's to my machine and restrict traffic using security groups? What would be the possible risks if I may?! Thanks for the help! – Yasasvee Feb 06 '18 at 13:02
  • You can use public IP addresses on your instance and then lock them down with security groups. The risk depends on what type of access is allowed and from where. – John Hanley Feb 06 '18 at 19:35
  • "If a subnet has a NAT it is a private subnet." The NAT gateway is actually on the public subnet. The route table of the private subnet will direct 0.0.0.0/0 traffic to that NAT gateway. – andresp Jan 21 '19 at 11:24
  • About the last sentence in the answer, according to aws support - I had problems with the following scenario: *I have public instances with SG. *the instances have an ELB to each of them. *the ELBs couldn't give access to those public instances even though I add their SG to the ELB SG. Do you know what can I do? – user2503775 Jan 21 '19 at 12:38
  • AWS team member said the ELB cannot recognize the IP behind the SG because it's a public IP – user2503775 Jan 21 '19 at 12:40
  • @user2503775 - please provide more details. Your comment as-is does not make sense. If you have a problem, create a new question with the full details from AWS to provide context. – John Hanley Jan 21 '19 at 20:18
  • 1) Internet gateway (IGW) are attached to a VPC, not a particular subnet! 2) NATs are created on the public subnet! – human Jun 08 '20 at 10:09