Skip to main content

Appendix. NAT instance

When instances within a private subnet require internet access, a NAT instance serves as a gateway for Network Address Translation (NAT) communications.
the private subnet associated with the route table transmits traffic to the public subnet's NAT instance according to the route policy. NAT instance then forwards the traffic to the internet gateway. The IP address used for communication with the internet gateway is the public IP address of the NAT instance. Therefore, the NAT instance must be created in a public subnet, have a public IP address associated with it, and be able to communicate with the Internet.
Below outlines how a private subnet utilizes a NAT instance for internet access via NAT.

NAT instance Routing NAT instance routing

Step 1. Create subnet and configure route tables

After creating private and public subnets, configure the route tables.

  1. Create private and public subnets. For details, refer to Create and manage subnet.

  2. Configure route tables for the private and public subnets. For details, refer to Create and manage route table.

    [Public subnet] Route Table
    DestinationTarget typeTarget name
    VPC CIDR IPLocalLocal
    0.0.0.0/0Internet gatewayinternet gateway ID
    [Private subnet] Route Table
    DestinationTarget typeTarget name
    VPC CIDR IPLocal     Local

Step 2. Configure NAT instance

Create a NAT instance in the public subnet and associate a public IP.

  1. Create an instance to use as a NAT instance in the public subnet.

  2. Associate a public IP with the NAT instance. For details, refer to Create and manage public IP.

  3. Access the NAT instance and configure as follows: Depending on the operating system of your instance, use the commands below. Make sure to customize the commands according to your environment. The example commands won't persist after a reboot, additional configuration is needed for them to persist after reboot.

    For Ubuntu 20.04, use the following commands:

    BASH
    sudo sysctl -w net.ipv4.ip_forward=1
    sudo /sbin/iptables -t nat -A POSTROUTING -o {interface} -j MASQUERADE
    ParameterDescription
    {interface}Replace with the name of the Network Interface for NAT communication.
    - Example: eth0, enp3s0, etc.

Step 3. Change source/destination check

By default, instances check the source/destination of packets and only receive traffic destined for them. However, a NAT instance needs to send and receive traffic even if it's not the source or destination.
To use an instance for NAT purposes, modify its source/destination checks setting.

  1. From the KakaoCloud Console, select the Virtual Machine.

  2. In the Instance menu, click the [More] icon for the instance to be used as a NAT instance, then select Change source/destination checks.

  3. In the pop-up window, select Disabled and click [Close].

    info

    The default setting for Source/destination check is Enabled, and this setting allows only the network traffic from the instance's IP/MAC address, ensuring secure network traffic protection. When changed to Disabled, traffic from all IP/MAC addresses is allowed, and packets are forwarded according to the security group policy.

Step 4. Set up security group for NAT instance

When using an instance with source/destination checks disabled, it can communicate according to the following security group policies.
Configure both inbound and outbound rules in the security group.

info

If you want to communicate from the private subnet using ports other than HTTP and HTTPS, you need to add all necessary ports to the inbound and outbound rules of the NAT instance's security group.

Inbound rule

Configure the security group to allow traffic for NAT instance from private subnet instances and for SSH access from the administrator network.

ProtocolPacket sourcePort numberDescription
TCPprivate subnet CIDR80Allow Inbound traffic for HTTP from private subnet instances.
TCPprivate subnet CIDR443     Allow Inbound traffic for HTTPS from private subnet instances.
TCPAdministrator network's Public IP address range22Allow inbound SSH access to the NAT instance from the administrator network.

Outbound rule

Configure the security group to allow Outbound traffic for the NAT instance to access the internet.

ProtocolPacket DestinationPort numberDescription
TCP0.0.0.0/080Allow outbound HTTP traffic.
TCP0.0.0.0/0      443     Allow outbound HTTPS traffic.

Step 5. Update route table

Update the route table for the private subnet to route traffic through the NAT instance. To update the route table, add an instance route to the route table associated with the private subnet. Refer to Add new route for details.

DestinationTarget typeTarget name
VPC CIDR IPLocalLocal
0.0.0.0/0Instance     Instance IP(Instance ID)