Appendix. NAT instance

When instances within a private subnet require internet access, a NAT instance serves as a gateway for Network Address Translation (NAT) communications.
The private subnet associated with the route table transmits traffic to the public subnet's NAT instance according to the route policy. NAT instance then forwards the traffic to the internet gateway. The IP address used for communication with the internet gateway is the public IP address of the NAT instance. Therefore, the NAT instance must be created in a public subnet, have a public IP address associated with it, and be able to communicate with the Internet.
Below outlines how a private subnet utilizes a NAT instance for internet access via NAT.

NAT instance routing

Step 1. Create subnet and configure route tables

After creating private and public subnets, configure the route tables.

Create private and public subnets. For details, refer to Create and manage subnet.
Configure route tables for the private and public subnets. For details, refer to Create and manage route table.

[Public subnet] Route Table

Destination Target type Target name
VPC CIDR IP Local Local
0.0.0.0/0 Internet gateway internet gateway ID

[Private subnet] Route Table

Destination Target type Target name
VPC CIDR IP Local Local

Step 2. Configure NAT instance

Create a NAT instance in the public subnet and associate a public IP.

Create an instance to use as a NAT instance in the public subnet.
Associate a public IP with the NAT instance. For details, refer to Create and manage public IP.
Access the NAT instance and configure as follows: Depending on the operating system of your instance, use the commands below. Make sure to customize the commands according to your environment. The example commands won't persist after a reboot, additional configuration is needed for them to persist after reboot.
- Ubuntu
- CentOS
For Ubuntu 20.04, use the following commands:
BASH
sudo sysctl -w net.ipv4.ip_forward=1 sudo /sbin/iptables -t nat -A POSTROUTING -o {interface} -j MASQUERADE
For CentOS 8, use the following commands:
BASH
sudo sysctl -w net.ipv4.ip_forward=1 sudo yum install -y iptables sudo iptables -t nat -A POSTROUTING -o {interface} -j MASQUERADE
Parameter Description
{interface} Replace with the name of the Network Interface for NAT communication.
- Example: eth0, enp3s0, etc.

Parameter	Description
`{interface}`	Replace with the name of the Network Interface for NAT communication. - Example: `eth0`, `enp3s0`, etc.

Step 3. Change source/destination check

By default, instances check the source/destination of packets and only receive traffic destined for them. However, a NAT instance needs to send and receive traffic even if it's not the source or destination.
To use an instance for NAT purposes, modify its source/destination checks setting.

From the KakaoCloud Console, select the Virtual Machine.
In the Instance menu, click the [More] icon for the instance to be used as a NAT instance, then select Change source/destination checks.

In the pop-up window, select Disable source/destination checks and click [Done].

Setting	Description
Default (Enabled)	Only allows network traffic for the instance's IP/MAC address. - Recommended for security.
Disable checks	Allows all traffic for all IP/MAC addresses, forwarding packets according to security group policies.

Step 4. Set up security group for NAT instance

When using an instance with source/destination checks disabled, it can communicate according to the following security group policies.
Configure both inbound and outbound rules in the security group.

info

If you want to communicate from the private subnet using ports other than HTTP and HTTPS, you need to add all necessary ports to the inbound and outbound rules of the NAT instance's security group.

Inbound rule

Configure the security group to allow traffic for NAT instance from private subnet instances and for SSH access from the administrator network.

Protocol	Packet source	Port number	Description
TCP	private subnet CIDR	80	Allow Inbound traffic for HTTP from private subnet instances.
TCP	private subnet CIDR	443	Allow Inbound traffic for HTTPS from private subnet instances.
TCP	Administrator network's Public IP address range	22	Allow inbound SSH access to the NAT instance from the administrator network.

Outbound rule

Configure the security group to allow Outbound traffic for the NAT instance to access the internet.

Protocol	Packet Destination	Port number	Description
TCP	0.0.0.0/0	80	Allow outbound HTTP traffic.
TCP	0.0.0.0/0	443	Allow outbound HTTPS traffic.

Step 5. Update route table

Update the route table for the private subnet to route traffic through the NAT instance. To update the route table, add an instance route to the route table associated with the private subnet. Refer to Add new route for details.

Destination	Target type	Target name
VPC CIDR IP	Local	Local
0.0.0.0/0	Instance	Instance IP(Instance ID)

Step 1. Create subnet and configure route tables​

[Public subnet] Route Table​

[Private subnet] Route Table​

Step 2. Configure NAT instance​

Step 3. Change source/destination check​

Step 4. Set up security group for NAT instance​

Inbound rule​

Outbound rule​

Step 5. Update route table​