Reputation: 187
Reach Nat instance from NLB
I have the config below on AWS:
- NLB with TCP 443 listner on it
- NAT instance in Target Group under NLB in public subnet with preconfigured iptables on it, the health check is passed
- EC2 instance in private subnet
- Routing table for private subnet uses NLB eni for 0.0.0.0 destination
- Default Security Group accepts all incoming traffic from VPC and it's attached to EC2 and NAT instance
The problem is that I can't reach any external resource from the EC2, the example is below:
telnet 1.1.1.1 443
Trying 1.1.1.1...
telnet: connect to address 1.1.1.1: Connection timed out
I turned Flow Logs on NLB and NAT enis and I see, that request from EC2 is accepted by NLB's eni, but there is no request on NAT's eni. When I change my Routing table to use eni from NAT instance, not NLB, I can reach anything I want. How can I make reach the Internet from EC2 in private subnet using NLB's eni with NAT instance under it?
Upvotes: 2
Views: 1007
Answers (1)
Reputation: 35258
You cannot use an NLB for routing you're limited to NAT Gateway or NAT instance from this perspective.
If you are trying to add resilience or gain performance over multiple nodes you should instead make use of the NAT Gateway.
One of the reasons NAT Gateways exist is they provided a scalable solution, prior to this you were limited to a single NAT instance per route table and the only way to adjust performance was to change instance type.
Upvotes: 1
Related Questions
- Internal NLB won't route to instance X when curl to the NLB DNS from same instance X
- AWS NLB redirect
- Providing internet access to private Ec2 instance using NAT instance
- Connecting AWS NAT GW to the web
- ssh to private ec2 instance behind internet-facing NLB
- Cannot connect to internet-facing NLB forwarding traffic to a private instance
- AWS VPN NAT'ing
- Using a NAT for Public Facing AWS Web Server
- Access Internal AWS Web Server from internet via NAT
- AWS to local network integration