oracle aide

December 27, 2015

An AWS Sonnet: Build a custom VPC with NAT

Filed under: Uncategorized — oracleaide @ 6:23 pm

… in 14 steps. Hence the sonnet reference.

This is a condensed narrative for lectures 48 and 49 from the AWS Architecture class on Udemy.  The narrative is much faster in getting to the point than 30 minutes of linear videos, it is precise and can be read in any direction.

1. Create a VPC,

2. Create in the VPC 2 subnets, in availability zones “a” and “b”, and respectively.

3. Create an internet gateway and attach it to the new VPC. To reduce clutter – set “Filter by VPC” in the left upper corner of the VPC dashboard to the new VPC.

4. Create in the new VPC a routing table, add a route “ – internet gateway” to it.

5. Associate the subnet “a” with the new routing table. This will make the subnet “a” public.

6. Create a security group, open inbound SSH, HTTP, HTTPS for Anywhere.

7. Launch an instance “a” in subnet “a”, with an Auto-Assigned Public IP, selecting the new security group.

8. Launch an instance “b” in subnet “b”, WITHOUT an Auto-Assigned Public IP, in the same security group.

9. SSH to the instance “a”, verify that it has access to internet, e.g. “sudo yum install telnet” should work.

10. From the instance “a” SSH to the instance “b”.  It should not have access to internet, e.g. “sudo yum install telnet” should time out.

11. Launch a NAT from a community image, select subnet “a”, Public IP, and the same security group (just for the demo – there is no a separate security group, in prod create a separate group for traffic between subnet “b”

12. Turn off the source-destination check for the NAT instance (Networking-Change Source / Destination Check).

13. Add to the main routing table (not the new one from step 4!), a route “ – the new NAT instance”.

14. Repeat the “sudo yum install telnet” test from  instance “b” – it should work now, although the instance “b”  is still in a private subnet.



  1. Thanks for this summary, very helpful. The only thing I am still trying to wrap my head around has to do with step #13 – is this giving the NAT a route to the internet (which I thought it already had by virtue of being in the public subnet and having an elastic IP), or is it giving everything in the world (both internet and our private IP addresses) a route to get to the NAT?

    Comment by Al Miller — March 21, 2016 @ 1:28 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: