In this case, you have a few specific requirements: to allow instances in private subnet to initiate outbound IPv4 traffic to the Internet. Moreover, you want to use the NAT device to be used as bastion server. In this article, we will focus on these particular requirements.
You can use a NAT device to allow instances in private subnets to connect to the internet. But these instances cannot receive unsolicited connection requests.
There are two options here: NAT gateway or NAT instance.
NAT gateway is managed by AWS. A NAT instance is your own NAT device on an EC2 instance.
You cannot use NAT Gateway as bastion server. But you can use NAT instance as bastion server. So, for our current use case, we will choose NAT instance.
Internet traffic from the instances in the private subnet is routed to the NAT instance. Then, NAT instance communicates with the internet. Therefore, the NAT instance must have internet access. It must be in a public subnet and it must have a public IP address or an Elastic IP address.
To set up the NAT instance, visit this link >> https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
NAT instance as Bastion Server
To use the NAT instance as bastion server, update the NATSG security group rules to allow inbound and outbound ICMP traffic and allow outbound SSH traffic, launch an instance into your private subnet, configure SSH agent forwarding to access instances in your private subnet, connect to your instance, and then test the internet connectivity. You will get the details by visiting the above link.
Updating the main route table
The private subnet in your VPC is not associated with a custom route table, therefore it uses the main route table. By default, the main route table enables the instances in your VPC to communicate with each other. You must add a route that sends all other subnet traffic to the NAT instance. You will get the details by visiting the above link.
That’s all! Hope you enjoyed this article!
References
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
If you find any significant errors or want to give me some feedback, feel free to contact me at maliksanjoykumar[@]gmail.com.
Sanjoy Kumar Malik is an experienced software architect and technologist. He is passionate about Cloud Computing, Software Architecture, and System Design. Apart from technology and software, he is an avid LinkedIn networker. You can join his 5.5+ lacs supporters on LinkedIn.