amazon-web-servicesamazon-elbnat

AWS: Putting together ELB, NAT Gateway and Public Subnet - Not working


We are working with an existing setup that consists of a public subnet of EC instances; they are accessible under the ELB and works fine. However, for outside clients to use the API's on these instances, I thought that a NAT Gateway is needed (IP's are not inside the network, akin to serverless).

We have tried, failed and tried again. Questions like this, almost helped, but I still don't understand the cause of the issue. We can't access the sites when the NAT GW is enabled.

There's already a functioning ELB. If we were to implement a NAT GW, how does an ELB and NAT GW tie together? To service this public subnet of EC2 instances under it? When we add the NAT GW, the responses become 403's.


Solution

  • Depending on how you want to expose your VPC, you can decide on one of the below path. Questions to ask is:

    1. Does your instances (web servers) need internet access?
    2. Do you want to access your instances from the internet? [i.e Remote access]

    Best practice is to avoid exposing the instances to public internet. You can keep them in private subnets behind the ELB as in the picture here.

    Setup 1:

    enter image description here

    Do note that the ALB and NAT Gateway (1 or 2 for redundancy) should be created in a Public Subnet for the above setup.

    Setup 2:

    enter image description here

    In this deployment, NAT Gateway is avoided and instances are exposed to internet in both direction. In this scenario, instances will need Publip IP or Elastic IP to reach out directly.

    In both scenario's access through the Application Load Balancer [ALB] should work fine. Take a note on the Route Table