Condition:
1 Public subnet A in VPC (No private subnet)
Internet gateway is connected to VPC
1 NAT gateway is subnet A
One server instance resides in subnet A.
Question:
Is it possible to use NAT gateway in specific case, otherwise send request without NAT gateway?
Some API interface I'm using are whitelisted and only allow whitelisted IP (I assigned it to NAT gateway).
But regarding traffic cost, I want to use NAT gateway only when request to whitelisted API server.
Example)
1)
https://Some-Whitelisted-API-Server.com/get => Sent via NAT gateway so API server acknowledge it's whitelisted IP as request source
2)
https://AnyOtherRequest.com/get => Sent without NAT gateway -- request source IP is EIP of instance.
Is it possible to configure like above?
I guess I need to use nginx or apache server for url re-routing, but it would be great if above is possible.
Related
I am wondering why do we attach an Elastic IP address to a NAT Gateway, but we do not attach one to an Internet Gateway.
The functionality of these two services is very similar. The NAT Gateway allows instances in my private network to initiate communication to the outside. The Internet Gateway extends this by allowing external devices to initiate communication also to the inside. So I would expect the Internet Gateway to require an Elastic IP address too at least, but this does not match the reality.
Is there any explanation to this?
A NAT Gateway still uses an Internet Gateway to access the Internet. So they are not two exclusive, separate things like you indicate in your question. Also, an Internet Gateway is not just for allowing inbound connections from the Internet, as you state in your question, it is for allowing any Internet access inbound to your VPC or outbound from your VPC.
An Internet Gateway allows anything in the VPC with a public IP address to access the Internet. It's basically a bridge between your private network, and Amazon's Internet connection.
A NAT Gateway is one of those resources that gets a public IP address in order to access the Internet through the Internet Gateway. The NAT Gateway just serves as a route to the Internet for all the resources in the VPC that do not have a public IP address.
We have 10 instances which we deployed the app using the AWS ECS and ELB
Due to security reasons the API allows request only through specific IP whitelisted IP addresses.
So we are planning to pass the request through the proxy
How to route an API request go through a proxy
We are using nginx
Any specific way to route an API request go through a proxy will be helful
You won't need NGINX as a proxy for this use-case, I'd propose to consider looking into using AWS NAT Gateways. NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Its the perfect place to provide a static IP to all your subnet's outbound traffic.
In order to provide a NAT Gateway with static IP (Elastic IP) for your cluster's outbound traffic. This will allow your different tasks running inside your ECS cluster's private subnets to look like a single requesting entity from an outsider's POV (in your case, the 3rd party API is the outsider). To achieve this, you will have to:
Create 2 route tables (1 for private subnets, 1 for public subnets)
Internet gateway on the public subnet
Elastic IP address
Create a NAT Gateway and attach the elastic IP to it (This will be the IP whitelisted to the 3rd party API)
Ensure that all your tasks are running inside private subnets of the VPC
Add a rule in your route table for your private subnets that redirects outbound 0.0.0.0/0 to the NAT Gateway.
Add a rule in your route table for your public subnets that redirects outbound traffic 0.0.0.0/0 to the internet gateway.
You should consider using NAT Gateway instead. I am assuming you already would have all your containers in a VPC, so you can create a new NAT Gateway within this VPC itself.
You can refer to articles attached below to do this:
https://docs.aws.amazon.com/appstream2/latest/developerguide/add-nat-gateway-existing-vpc.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
Note: NAT Gateways have price associated with them.
If needed, you can use the elastic IP provided by NAT Gateways on your lambdas as well.
I have configured the API Gateway with a lambda function. The lambda function is in a VPC with private subnets. I have also attached an internet gateway to the VPC with a route table routing all traffic to the internet gateway. From what I understand, I still shouldn't be able to access any of the API endpoints, as the lambda function is in a private subnet and needs a NAT gateway between the internet gateway and private subnets.
However, with the security group assigned to the lambda function allowing incoming traffic, I am able to access all endpoints.
API Gateways are used for Inbound communication, whereas NAT Gateway is used for outbound communication.
Hence for inbound traffic, once you configure the API Gateway routing to lambda, with appropriate security policy, you can access the api.
For outbound communication, your Private service needs to access NAT gateway which will route traffic to Internet gateway and further out to the internet.
Say I have an ec2 in a private subnet with access to the internet through a NAT Gateway and I have VPC endpoints (PrivateLink) for AWS services like DynamoDB or SNS. If my ec2 instance needs to interact with those services, it will use the private link or the NAT Gateway? In other words, the traffic will go on the public internet or will stay inside the VPC?
In other words, the traffic will go on the public internet or will stay inside the VPC?
It will go to interface endpoint. And the reason is that aws chooses more specific (longest prefix match) route when there is more than one choice where to direct traffic. So if VPC has to decide between 0.0.0.0/0 for NAT and interface endpoint address, interface endpoint will be prioritized.
You can easily check it yourself. Place interface endpoint in your private subnet which has route to NAT. Then black all incoming traffic to the interface endpoint using its security group. What you should see is that you are unable to access the service of the interface endpoint, even though there is NAT gateway.
I have an application running in an EC2 instance in a private subnet (to add extra security), receiving traffic directly from an internet-facing NLB that is associated to the public subnet.
I have also configured a NAT Gateway in the public subnet so that the private EC2 instance can download whatever needed from the Internet.
I have just come out to the next conclusion:
If I request from the Internet: http://index.html
The private EC2 Instance uses the NAT Gateway to send back the HTTP response, and therefore you are charged for that NAT processing.
https://aws.amazon.com/vpc/pricing/
"Data processing charges apply for each Gigabyte processed through the NAT gateway regardless of the traffic’s source or destination"
The Route Table associated to the Private Subnet (where the web/app server is located) has { - local ; 0.0.0.0/0 - NATGateway} If I remove the 0.0.0.0/0 entry, then the HTTP requests to the server do not work. And if I remove the NAT Gateway I get the same issue.
Additionally, when I have the NAT Gateway and the route table to use it from the Private Subnet, I can also see traffic in the monitoring tab of the NAT Gateway when I do a simple HTTP request from the Internet - http:///index.html
Has someone faced the same issue? Is my understanding correct?
Is there any workaround to avoid this? I can just think of the following:
Move the application to a Web Tier (in a public subnet) so that the EC2 Instance has a public IP and therefore it does not need the NAT Gateway to respond to every HTTP request
Create a Web Tier in addition to the Application Tier, so that all traffic goes from the NLB <-> Web Tier <-> App Tier
Create a NAT Instance instead of a NAT Gateway so that you are not charged for that NAT processing.
Thanks!
So, it turns out there is an strange behaviour (bug?) in NLB that requires a default route to something for return traffic to work.
Scenario:
NLB in Public Subnet
NLB Target Group pointing to an instance in a Private Subnet
Sending traffic to the NLB will not give a response.
Add:
NAT Gateway
Add a route in the Private Route Table to point to the NAT Gateway
This works.
However, it doesn't actually use the NAT Gateway!
Instead of adding a NAT Gateway, you can instead create a default route to another instance, for example:
0.0.0.0/0 -> another instance
Then, connecting to the NLB works!
Behind the scenes, the VPC network detects that traffic coming out of the instance is in response to a request that came via the NLB, and traffic will be routed out the NLB.
HOWEVER, it only works if there is a valid default route in the route table. The route isn't used -- the network overrides it, so it doesn't matter what it points to. However, it must point to a valid resource. It doesn't work if it points to an ENI that isn't attached to anything. In my tests, it also doesn't seem to work if you point it back to the same instance. But, I pointed it to another instance and it worked just fine.
AWS Support agrees that this is not the best behaviour, but it's how things have to be configured for the moment.
Bottom line: It does not require a NAT Gateway. It just needs a valid default route that will be ignored when routing return traffic.