AWS: NAT Gateway in public subnet. Why?
A NAT Gateway (as well as a NAT Instance, for what it's worth) must be in a public subnet because only devices on public subnets can actually use a public IP address.
That's what makes a public subnet a public subnet.
The pedantic definition of a public subnet is a subnet whose associated VPC route table has at least one route pointing to the Internet Gateway... but in practice, it's usually a subnet with its default route (in the VPC route table) pointing to the Internet Gateway.
By contrast, a private subnet is a subnet without such a route. Usually, the default route for a private subnet points to a NAT device, though it could point to a hardware VPN or Direct Connect connection.
If a NAT device isn't on a public subnet, it (by definition) has no routes by which the traffic it has translated can reach the Internet, because its outgoing traffic follows the route table for the subnet on which it is located... so the subnet the NAT Gateway is placed on -- again, by definition -- must be a public subnet.
There is no security implication of placing a NAT Gateway on a public subnet, since incoming connection attempts are never accepted under any circumstances. This is something you can't misconfigure.
If you're thinking in LAN terms, the natural assumption is that a NAT device needs to be "on" at least 2 subnets, the external (public addresses) subnet and the internal (private addresses) subnet -- but the VPC network is not the LAN it appears to be. It's a software-defined layer 3 network that emulates Ethernet very cleanly, but it isn't Ethernet.
Related videos on Youtube
14 : 46
05 : 54
10 : 17
25 : 27
17 : 15
07 : 18
Comments
-
Julian over 1 year
As I understand it, a public subnet is one that can route traffic to the internet via an Internet Gateway, and a private subnet is one that cannot (can't reach the internet nor it can be reached from it). In order to reach the internet, a private subnet needs to route traffic through a NAT Gateway.
I can confirm this because I am actually using this setup successfully.
But... the Amazon docs say otherwise (bold emphasis is mine):
The instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet can't. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can't. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) instance that you launch into the public subnet.
Does it matter where the NAT gateway resides? If it does, what are the use cases of putting it in a private/public subnet?
-
ceejayoz almost 7 yearsNAT instance != NAT gateway. The gateway is a managed solution, but it's entirely possible to launch your own unmanaged NAT instances, which need to go in the public subnet to have access to the public internet.
-
Julian almost 7 years@ceejayoz You are right, ooops! I updated the title to make my question more precise.
-
Tim almost 7 yearsI have changed "gateway" to "instance" for you in your question. -
Julian almost 7 years@Tim that would be incorrect. I will roll back the change. I specifically mean gateway as in the particular service provided by Amazon called NAT Gateway. I'm not interested in generic networking answers but specifically an AWS specific answer (hence the tags).
-
Tim almost 7 yearsOk, sorry about that. The comments above made it look like you were referring to a NAT instance. Note that a NAT Gateway is a managed product from AWS, a NAT instance is an EC2 instance you create that does NAT for your VPC.
-
-
Suhas Chikkanna over 4 years@michaek - sqlbot What happens if I send a http request via this NAT gateway, will the response be dropped off at the NAT gateway? Since, you said " incoming connection attempts are never accepted under any circumstances". Afaik, it does accept, only in case, the connection was initiated from the private IPs. Could you please comment and correct me if I am wrong? Thank you.
-
Michael - sqlbot over 4 years@SuhasChikkanna if the connection is initiated from a private IP behind the NAT Gateway then by definition it is not an incoming connection attempt -- that's an outgoing connection.
-
Suhas Chikkanna over 4 yearsYes, you are right. So that would mean, an outgoing connection attempt from an application on private machine can receive the response and access the internet successfully?.
-
Michael - sqlbot over 4 years@SuhasChikkanna that is correct.
-
user345602 about 3 yearsI'm wondering why in this example they put the NAT Gateway in the "Main route table" which is associated with the private subnet docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
-
Hieu Le over 2 years@user345602 To make a NAT gateway work, we need to set two subnets for it. One is our private subnet, the other is a public subnet. That's why when we create a NAT gateway, firstly AWS asks us to choose the first one (the public subnet) where the NAT gateway is placed. This is the part of "launch into the public subnet".
