CODEWITHSUNDEEP
amazon-web-servicesamazon-ec2subnetamazon-vpc
soupybionics
soupybionics

Reputation: 4386

Amazon Web Services VPC setup

enter image description here

I am bit confused on the above setup. As per my understanding, inside the public subnet, there are four instances (3 webservers + 1 NAT). How come they all have public (elastic) IP addresses? Why would the webservers have public IP addresses? Shouldn't they be accessible via the NAT instance? I mean everything (inbound or outbound) should go via the NAT instance, right? Does it mean there is a direct path between the webservers and the outside world bypassing the NAT? What am I missing here? Is the the "Router" and "Internet Gateway" also EC2 instances?

Upvotes: 1

Views: 830

Answers (3)

mootmoot
mootmoot

Reputation: 13176

It is murky picture if you are new to AWS. I will add little more info beside @Matt Houser answer. The main reason of such diagram because there is a limitation inside the VPC that cause this .

You must know this : AWS VPC is NOT your typical brick and mortar setup, that you can freely move around, change the IP address, resources address , etc.

  • You want to isolate your webserver service traffics from the NAT gateway/NAT instance traffics.
  • AWS NAT gateway IS NOT FREE. But it is much easier to setup. It will charge by active connection hours and per GB traffics. Once configure, you can not shutdown them temporary to save cost. Once you terminate it, route table setting is gone, you need to create a script to rebuild it. (not very complicated actually)
  • AWS NAT instance IS NOT FREE either. It is appliance that loeaded with NAT configuration, run under an EC2 instance(typical EC2 charges) . Though you can shut it down and only pay for little EBS cost when you are not using it.
  • Due to the way that NAT Instance is configure(As above mentioned, this is not your typical network), server sharing the same subnet with NAT instance CANNOT use it to connect to internet. Unless 1. Build your own NAT server with another EC2 or 2. Create yet another public subnet, put the NAT instance in there, so both the private and web public subnet route table can point to the NAT instance-id.
  • 1 VPC limit to 5 EIP (you may request limit increase), AWS recommend you to use NAT for private subnet if the EIP exhausted.

A public subnet will have route table to point to internet gateway, i.e. 0.0.0.0/0 -> igw-id

A private subnet is something that without the above entry.

(UPDATE) @Micahael - sqlbot point out my mistake, I just mixed up NAT-Gateway with NAT-instance. They are different, but the route table limitation is still apply. This is the amended info:

So if you want to connect your private subnet (say subnet X) through AWS NAT , you need create the NAT-Gateway or NAT-Instance .

In the subnet X associate route table (route table X) , make the default route pointing such as this.
0.0.0.0/0 -> NAT-gateway-ID/NAT-intance-ID

But NAT-gateway must find a way connect to internet, so it must reside in a public subnet (subnet Y ) with route table (route table Y) like this 0.0.0.0/0 -> NAT-gateway-ID/NAT-intance-ID

As you can see, when EC2 reside the same subnet as the NAT gateway , it is impossible to change the route table Y to make some "creative route" : This will NOT work 0.0.0.0/0 -> Internet Gateway-ID 0.0.0.0/0 -> NAT-gateway-ID/NAT-intance-ID

And YOU CANNOT DO THIS for route table Y. NAT-gateway-ID/NAT-intance-ID -> Internet Gateway-ID 0.0.0.0 -> NAT-gateway-ID/NAT-intance-ID

Thus, those EC2 instance can only use EIP (besides the traffics isolation issues)

Here is the reference for NAT gateway and NAT instance http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html

Which one to use? It all depends on usage, ease of maintenance and cost. VPC NAT gateway is much easier to setup, but may not be cost effective for infrequent usage. For per/GB traffics charges, it is difficult to judge whether you should get a NAT instance, because high traffics means you need better EC2 instance, the cost may end up closer to using NAT gateway.

Upvotes: 1

Matt Houser
Matt Houser

Reputation: 36093

Internet Gateway

The Internet Gateway is not an EC2 instance. It is a component that you add to your VPC.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html

Its function is to provide access to/from the internet for VPC public subnets.

Router

You won't find an actual component for this. It's simply a fake item used in the diagrams to represent the various route tables that you can create.

Public Subnet

A public subnet is a subnet which has an Internet Gateway directly attached to it. Basically it means that it has a direct connection to the internet.

Any EC2 instance that lives inside a public subnet will be able to:

  1. Make outgoing connections to the internet, and
  2. Receive incoming connections from the internet.

But in order to do either of these, it must have a public IP address. This can be an auto-assigned public IP address or an Elastic IP address.

NAT

This can be a NAT Instance (EC2 instance you run), or a NAT Gateway (component provided by AWS).

NATs are kind of similar to an Internet Gateway, except that they do not provide inbound connections.

The purpose of a NAT is to provide outbound internet access for private subnets. It helps private subnets reach the internet, but the NAT itself must reside in a public subnet (so itself can access the internet using the Internet Gateway).

Private Subnet

A private subnet is a VPC subnet which does not have direct access to the internet. It's used to protect components from outsiders. Items that could be put in private subnets include (but not limited to):

  • databases
  • worker instances
  • web servers that use other components to direct traffic to them (such as an Elastic Load Balancer)
  • other private servers

In your diagram, if the database servers will ever need to make outbound connections to the internet, then those connections are sent through the NAT.

Final Notes

To directly answer your questions:

How come they all have public (elastic) IP addresses?

Because, in this case, they all need direct access to the internet.

Shouldn't they be accessible via the NAT instance?

No. Incoming connections to the web servers will come through the Internet Gateway. The NAT is purely there for the benefit of the private subnets.

I mean everything (inbound or outbound) should go via the NAT instance, right?

No. Only outbound connections from the private subnet will use the NAT. Nothing else.

Does it mean there is a direct path between the webservers and the outside world bypassing the NAT?

Yes.

Is the the "Router" and "Internet Gateway" also EC2 instances?

No.

The router represents something that's going on inside AWS using your VPC's route tables. There is no component for this aside from the route tables.

The Internet Gateway is an AWS component that you add to your VPC.

Upvotes: 5

Vladimir Mukhin
Vladimir Mukhin

Reputation: 565

The main idea of a public subnet is that should be available from the outside world. If you want to have a web server and serve traffic - you should have it in a public subnet and have a white (public) IP attached to it. (in AWS you can also use elastic load balancer)

NAT stands for Network Address Translation. It's required if you want your servers to have an internet connection (in order to download software updates for example) without being exposed to the outside world i.e. private instances.

All these concepts are described in the "Multitier architecture" approach. Take a look at this article in order to make things more clear: https://en.wikipedia.org/wiki/Multitier_architecture

Upvotes: 0

Related Questions