How to connect to outside world from amazon vpc?
Solution 1
It appears that the only way to get outside from instances that don't have Elastic IP is:
- add a NAT (Launch an extra m1.small instance from ami-vpc-nat-beta) and assign EIP to it
- Create an extra subnet which will be "private"
- Move non-EIP-instances to that private subnet
- Modify route tables: 0.0.0.0/0 from the private subnet should go to NAT
So, just adding NAT is not enough. Instances should be stopped and moved to another IP from another subnet.
Solution 2
The docs tell you should add a NAT Instance
Solution 3
Q. How do instances without EIPs access the Internet?
Instances without EIPs can access the Internet in one of two ways Instances without EIPs can route their traffic through a NAT instance to access the Internet. These instances use the EIP of the NAT instance to traverse the Internet. The NAT instance allows outbound communication but doesn’t enable machines on the Internet to initiate a connection to the privately addressed machines using NAT, and
http://aws.amazon.com/vpc/faqs/
You can find detailed instructions on how to setup a nat instance here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
Solution 4
Or create a NAT Instance within the public VPC and add a static route to that NAT instance
route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.0.0.5 eth0
where 10.0.0.5 is your nat instance, just make sure your the security group which contains the NAT instance can accept internal traffic from the boxes you require internet access
Solution 5
You can do it on any instance in your VPC, that has EIP. There few instructions that i described here should help you. BTW: don't forget disable source/dest. check
Andrey Regentov
Updated on July 09, 2022Comments
-
Andrey Regentov almost 2 years
I have amazon VPC set through wizard as "public only network", so all my instances are in public subnet.
Instances within VPC that have Elastic IP assigned connect to internet without any troubles.
But instances without elastic IP can't connect anywhere.
Internet gateway is present. Route table in aws console looks like
Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw-nnnnn
and route from inside instance shows
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 default 10.0.0.1 0.0.0.0 UG 100 0 0 eth0
I tried to open ALL inbound and outbound traffic to 0.0.0.0/0 in security group that an instance belongs to. Still no success.
~$ ping google.com PING google.com (74.125.224.36) 56(84) bytes of data. ^C --- google.com ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5017ms
What else can I do?
-
Andrey Regentov over 11 yearsnote that the questions is answered 5 months ago. Note that "I tried to open ALL inbound and outbound traffic to 0.0.0.0/0 in security group that an instance belongs to. Still no success." means that it's not connected with security groups.
-
dparkar over 11 yearsThe docs say that you must also assign an EIP to the NAT instance.
-
dparkar over 11 yearsInfact, without assigning EIP to the NAT instance, it WILL NOT WORK. Just tested.
-
Andrey Regentov over 11 yearsOf course your NAT should have EIP. Implied that. Edited the answer
-
Pablo SL over 9 yearsDon't forget to disable in the NAT instance source/destination check.
-
phocks over 8 yearsThey must have only recently put in the "NAT instance source/destination check" because I never used to have to disable that before connecting. Pretty silly default setting to not allow outside connections when that's pretty much what most people would be using it for I imagine.
-
Adam Link over 6 yearsSince this is the accepted answer, check your network ACLs too (VPC -> Security -> Network ACLs). Make sure you are not blocking inbound or outbound traffic. In my case, it was failing due to my network ACL not allowing inbound traffic.