Reputation: 440
Unable to get AWS NAT gateway working for API with IP whitelist
Our aim is to get our Elastic Beanstalk setups to route traffic through a NAT gateway as we require for certain traffic connecting to API's which require IP whitelisting. Rather than make modifications to the current setup, I have created a separate/isolated VPC & EC2 instance to familiarise and test the setup. However I am yet to get the setup working as desired.
Here is the setup
- VPC (vpc-77049811) with CIDR of 10.0.0.0/16
- Internet gateway (igw-4d4b212a) assigned to mentioned VPC
- Subnet (subnet-096d8a53) with CIDR of 10.0.1.0/24
- NAT Gateway (nat-00bb49204627de7e6) attached to mentioned subnet and assigned Elastic IP
- Route table attached to mentioned VPC and associate with mentioned subnet
- 1x EC2 Instance assigned to VPC and its own Elastic IP and Disabled Source/Destination Check
Route Table Setup
10.0.0.0/16 local
0.0.0.0/0 igw-4d4b212a
With the above setup, and am able to log into the server and make a curl request to get the servers public IP address (curl icanhazip.com). As soon as I add a rule to the route table for the url's resolved IP's to route through the NAT gateway though, I am unable to ping or request the curl request as it will timeout.
Rules added to route table which do not work
45.63.64.111/32 nat-00bb49204627de7e6
144.202.71.30/32 nat-00bb49204627de7e6
Not sure if I've overlooked something here or maybe I have misunderstood the concept and use cases for the NAT gateway?
Upvotes: 1
Views: 3893
Answers (2)
Reputation: 37480
It seems like you have misunderstood the purpose of a NAT.
Its purpose is to provide outbound internet access to instances in a private subnet without allowing any inbound connectivity - i.e. a subnet where the routing table does NOT have an entry for:
0.0.0.0/0 igw-4d4b212a
If you want to restrict access from your EC2 instance to specific IP addresses, put your NAT in the public subnet, create a private subnet, and put your instance in the private subnet. Then add the two routes to the route table associated with the private subnet:
45.63.64.111/32 nat-00bb49204627de7e6
144.202.71.30/32 nat-00bb49204627de7e6
If you simply want to restrict access of your EC2 instance to a couple of IP addresses, you can only create routes for those addresses:
45.63.64.111/32 igw-4d4b212a
144.202.71.30/32 igw-4d4b212a
Be aware that with this last option, your instance can be reached from the internet if you have rules open in your security groups.
Upvotes: 2
Reputation: 841
This is public IP 45.63.64.111. You need IGW to reach to this traffic.
- You either do that by directly redirecting your traffic to IGW OR
- You do that by directing to NAT then further directing that traffic to IGW
Directing to IGW part is missing.
Nat gateway is used for EC2 in private subnets (which does not have IGW attached to it). In scenario above, EC2 is in public subnet so ideally it does not need NAT.
Here is what I would do to use NAT- 1. Place EC2 in private subent. and have a Route table where all outgoing traffic to nat-gateway. 2. Nat-gateway which is in public subnet will forward your traffic to IGW.
Upvotes: 2
Related Questions
- AWS VPC NAT Not Working
- I can't access an AWS API Gateway from inside a VPC
- Elastic IP on NAT Gateway, but not on Internet Gateway
- AWS VPC can't access Internet despite configuring NAT, Internet Gateway according to rules
- Adding IP whitelisting security to API gateway
- How can I route api gateway endpoint to ec2 private IP
- How to create a NAT Gateway in AWS?
- Connecting AWS NAT GW to the web
- AWS API Gateway - Elastic Beanstalk - Restricted Access