Appendix. NAT instance
When instances within a private subnet require internet access, a NAT instance serves as a gateway for Network Address Translation (NAT) communications.
the private subnet associated with the route table transmits traffic to the public subnet's NAT instance according to the route policy. NAT instance then forwards the traffic to the internet gateway. The IP address used for communication with the internet gateway is the public IP address of the NAT instance. Therefore, the NAT instance must be created in a public subnet, have a public IP address associated with it, and be able to communicate with the Internet.
Below outlines how a private subnet utilizes a NAT instance for internet access via NAT.
NAT instance routing
Step 1. Create subnet and configure route tables
After creating private and public subnets, configure the route tables.
-
Create private and public subnets. For details, refer to Create and manage subnet.
-
Configure route tables for the private and public subnets. For details, refer to Create and manage route table.
[Public subnet] Route Table
Destination Target type Target name VPC CIDR IP Local Local 0.0.0.0/0 Internet gateway internet gateway ID [Private subnet] Route Table
Destination Target type Target name VPC CIDR IP Local Local
Step 2. Configure NAT instance
Create a NAT instance in the public subnet and associate a public IP.
-
Create an instance to use as a NAT instance in the public subnet.
-
Associate a public IP with the NAT instance. For details, refer to Create and manage public IP.
-
Access the NAT instance and configure as follows: Depending on the operating system of your instance, use the commands below. Make sure to customize the commands according to your environment. The example commands won't persist after a reboot, additional configuration is needed for them to persist after reboot.
- Ubuntu
- CentOS
For Ubuntu 20.04, use the following commands:
BASHsudo sysctl -w net.ipv4.ip_forward=1
sudo /sbin/iptables -t nat -A POSTROUTING -o {interface} -j MASQUERADEFor CentOS 8, use the following commands:
BASHsudo sysctl -w net.ipv4.ip_forward=1
sudo yum install -y iptables
sudo iptables -t nat -A POSTROUTING -o {interface} -j MASQUERADEParameter Description {interface}
Replace with the name of the Network Interface for NAT communication.
- Example:eth0
,enp3s0
, etc.
Step 3. Change source/destination check
By default, instances check the source/destination of packets and only receive traffic destined for them. However, a NAT instance needs to send and receive traffic even if it's not the source or destination.
To use an instance for NAT purposes, modify its source/destination checks setting.
-
From the KakaoCloud Console, select the Virtual Machine.
-
In the Instance menu, click the [More] icon for the instance to be used as a NAT instance, then select Change source/destination checks.
-
In the pop-up window, select Disabled and click [Close].
infoThe default setting for Source/destination check is Enabled, and this setting allows only the network traffic from the instance's IP/MAC address, ensuring secure network traffic protection. When changed to Disabled, traffic from all IP/MAC addresses is allowed, and packets are forwarded according to the security group policy.
Step 4. Set up security group for NAT instance
When using an instance with source/destination checks disabled, it can communicate according to the following security group policies.
Configure both inbound and outbound rules in the security group.
If you want to communicate from the private subnet using ports other than HTTP and HTTPS, you need to add all necessary ports to the inbound and outbound rules of the NAT instance's security group.
Inbound rule
Configure the security group to allow traffic for NAT instance from private subnet instances and for SSH access from the administrator network.
Protocol | Packet source | Port number | Description |
---|---|---|---|
TCP | private subnet CIDR | 80 | Allow Inbound traffic for HTTP from private subnet instances. |
TCP | private subnet CIDR | 443 | Allow Inbound traffic for HTTPS from private subnet instances. |
TCP | Administrator network's Public IP address range | 22 | Allow inbound SSH access to the NAT instance from the administrator network. |
Outbound rule
Configure the security group to allow Outbound traffic for the NAT instance to access the internet.
Protocol | Packet Destination | Port number | Description |
---|---|---|---|
TCP | 0.0.0.0/0 | 80 | Allow outbound HTTP traffic. |
TCP | 0.0.0.0/0 | 443 | Allow outbound HTTPS traffic. |
Step 5. Update route table
Update the route table for the private subnet to route traffic through the NAT instance. To update the route table, add an instance route to the route table associated with the private subnet. Refer to Add new route for details.
Destination | Target type | Target name |
---|---|---|
VPC CIDR IP | Local | Local |
0.0.0.0/0 | Instance | Instance IP(Instance ID) |