appendix. using nat instances

When instances in a private subnet need to communicate with the internet, you can use a NAT instance for NAT communication.
The private subnet, connected to the routing table, sends traffic to the NAT instance in the public subnet based on the routing policy. The NAT instance then forwards the traffic to the internet gateway. The IP used for communication with the internet gateway is the NAT instance's public IP. Therefore, the NAT instance must be created in a public subnet, with a public IP attached and internet access enabled.
The method for using a NAT instance to communicate with the internet from a private subnet is as follows.

Image. NAT instance routing path NAT instance routing path

Step 1. create subnet and configure route tables

Create private and public subnets, and configure the routing tables.

Create private and public subnets. For detailed instructions, refer to Create and manage subnets.
Configure the routing tables for the private and public subnets. Ensure that the subnets are correctly connected to the routing tables based on their use. For detailed instructions, refer to Create and manage route tables.

[Public Subnet] Route Table

Destination Target Type Target Name
VPC CIDR IP Local Local
0.0.0.0/0 Internet Gateway Internet Gateway ID

[Private Subnet] Route Table

Destination Target Type Target Name
VPC CIDR IP Local Local

Step 2. configure nat instance

Create a NAT instance in the public subnet and attach the public IP.

Create an instance in the public subnet that will be used as the NAT instance.
Attach a public IP to the NAT instance. For detailed instructions, refer to Create and manage public IPs.
Connect to the NAT instance and configure it as follows. The commands differ based on the operating system of the instance. Check the tabs below and follow the appropriate commands for your environment. The example commands will not persist after a reboot. If you want these settings to remain after rebooting, additional configurations are required.
- Ubuntu
- CentOS
For Ubuntu 20.04, use the following commands:
BASH
sudo sysctl -w net.ipv4.ip_forward=1 sudo /sbin/iptables -t nat -A POSTROUTING -o {interface} -j MASQUERADE
For CentOS8, use the following commands:
BASH
sudo sysctl -w net.ipv4.ip_forward=1 sudo yum install -y iptables sudo iptables -t nat -A POSTROUTING -o {interface} -j MASQUERADE
Parameter Description
{interface} Replace with the network interface name used for NAT communication
- Example: eth0, enp3s0, etc.

Parameter	Description
`{interface}`	Replace with the network interface name used for NAT communication - Example: `eth0`, `enp3s0`, etc.

Step 3. Modify allowed IPs for packet forwarding

By default, an instance checks the source and destination of the traffic and only receives traffic that has itself as the destination. However, a NAT instance should be able to send and receive traffic even if the source and destination are not itself.
You can configure the instance as a NAT instance using the Modify Allowed IPs for Packet Forwarding feature.

Go to the Virtual Machine menu in the KakaoCloud Console.
In the Instances tab, select the [More Options] icon for the instance to be used as the NAT instance and choose Modify Allowed IPs for Packet Forwarding.
In the Modify Allowed IPs for Packet Forwarding popup, select the network interface, and enter and add 0.0.0.0/0 in the input box, then click [Apply].

info

By default, network interfaces only allow traffic to and from their own IP/MAC address for security reasons. By adding IP addresses or CIDR blocks through the Modify Allowed IPs for Packet Forwarding feature, traffic from those IP addresses will be allowed, and packets will be forwarded according to security group policies.

Step 4. Set up security group for NAT instance

When using an instance with the Modify Allowed IPs for Packet Forwarding setting, you can communicate based on the following security group policies.
Configure the inbound and outbound rules for the security group as follows.

info

If you want to communicate using ports other than HTTP and HTTPS in the private subnet, you need to add the ports to the inbound and outbound rules in the NAT instance's security group.

Inbound rules

The NAT instance should receive packets from instances in the private subnet and forward them to the internet, while also allowing system administrators to access it via SSH. The inbound security group rules are configured as follows:

Protocol	Source IP Range	Port Number	Description
TCP	Private subnet CIDR	80	Allow inbound HTTP traffic from private subnet instances
TCP	Private subnet CIDR	443	Allow inbound HTTPS traffic from private subnet instances
TCP	Public IP range of the administrator's network	22	Allow inbound SSH access to the NAT instance from the administrator's network

Outbound rules

To allow traffic from the NAT instance to the internet, configure the outbound security group rules as follows:

Protocol	Destination IP Range	Port Number	Description
TCP	0.0.0.0/0	80	Allow outbound HTTP traffic
TCP	0.0.0.0/0	443	Allow outbound HTTPS traffic

Step 5. Update route table

Update the route table for the private subnet to send traffic to the NAT instance. To update the route table, you need to add an instance route to the route table connected to the private subnet. For more details, refer to Add Route.

Destination	Target Type	Target Name
VPC CIDR IP	Local	Local
0.0.0.0/0	Instance	Instance IP (Instance ID)

Step 1. create subnet and configure route tables​

[Public Subnet] Route Table​

[Private Subnet] Route Table​

Step 2. configure nat instance​

Step 3. Modify allowed IPs for packet forwarding​

Step 4. Set up security group for NAT instance​

Inbound rules​

Outbound rules​

Step 5. Update route table​