AWS: Putting together ELB, NAT Gateway and Public Subnet - Not working
We are working with an existing setup that consists of a public subnet of EC instances; they are accessible under the ELB and works fine. However, for outside clients to use the API's on these instances, I thought that a NAT Gateway is needed (IP's are not inside the network, akin to serverless).
We have tried, failed and tried again. Questions like this, almost helped, but I still don't understand the cause of the issue. We can't access the sites when the NAT GW is enabled.
There's already a functioning ELB. If we were to implement a NAT GW, how does an ELB and NAT GW tie together? To service this public subnet of EC2 instances under it? When we add the NAT GW, the responses become 403's.
Depending on how you want to expose your VPC, you can decide on one of the below path. Questions to ask is:
- Does your instances (web servers) need internet access?
- Do you want to access your instances from the internet? [i.e Remote access]
Best practice is to avoid exposing the instances to public internet. You can keep them in private subnets behind the ELB as in the picture here.
Setup 1:
Do note that the ALB and NAT Gateway (1 or 2 for redundancy) should be created in a Public Subnet for the above setup.
Setup 2:
In this deployment, NAT Gateway is avoided and instances are exposed to internet in both direction. In this scenario, instances will need Publip IP or Elastic IP to reach out directly.
In both scenario's access through the Application Load Balancer [ALB] should work fine. Take a note on the Route Table
- AWS Lambda No module named 'regex._regex'
- Unable to resolve " not a valid key=value pair (missing equal-sign) in Authorization header" when POSTing to api gateway
- How to reset EC2 ubuntu instance?
- How to zip files properly on mac for unzipping via python from s3?
- Issues generating CloudFront signed URLs; always Access Denied
- AWS EventBridge Pipeline - Self Managed Kafka filter not working
- aws lambda function triggering multiple times for a single event
- Trying to create AWS spot datafeed, getting error: InaccessibleStorageLocation
- Can't see my EC2 instances on the management console?
- React web app Auth UserPool not configured
- How to retrieve usage on Amazon S3 based on tag?
- AWS Amplify: How to delete the environment, when resources are already partially deleted?
- Interactive shell in Docker image with Amazon ECS with `aws ecs run-task` followed by `aws ecs execute-command`
- Terraform v0.11.1 : Error downloading modules: Error loading modules: open .terraform/modules/3f10921295c292995128e9e36eb: no such file or directory
- Ansible - include vars file from remote host
- How to change AWS Lamp apache root directory?
- AWS Codeartifact and Poetry auth problems with private packages
- S3 Intelligent - Tiering with snowflake managed iceberg tables
- InvalidClientTokenId error aws when trying to get caller identity
- AWS Route 53: cost of having a subdomain on another DNS provider than AWS
- Unable to connect from MySQL Workbench to AWS RDS instance
- Querying timestamp data in Athena when the timestamp format in the underlying JSON files has changed
- Difference between AWS::IAM::Policy and AWS::IAM::ManagedPolicy
- During an aborted deployment, some instances may have deployed the new application version
- API Gateway V2 private integration to application load balancer always returns 503
- AWS ELB -> Backend Server over HTTPS with Self-Signed Certificate
- ELB to backend server using HTTPS with self-signed certificate
- How to pass different principals when deploying a bucket policy using terraform
- Clarification for AWS auto-scaling of instances
- Instances scaling (by ASG) but no new tasks being created