Connecting Your VPC

Bridging Your VPC to the Internet

Every VPC needs a way to communicate with the outside world. Whether it’s accessing the internet or sending data securely, Internet Gateways (IGWs) and NAT Gateways (NGWs) play crucial roles. In this article, we’ll explore how these components work, their key differences, and when to use each, while also diving into the role of Elastic IPs and Public IPs in enabling connectivity.

---

What Are Internet Gateways (IGWs)?

An Internet Gateway (IGW) is a VPC component that allows resources in public subnets to communicate with the internet. It acts as the main "door" through which traffic enters and leaves your VPC.

Key Features:

• Fully managed by AWS.
• Horizontally scalable and highly available.
• Handles both inbound and outbound internet traffic for resources in public subnets.
• Works with Elastic IPs or Public IPs for instances.

---

Mental Model: Internet Gateway as a Highway Exit

Think of an Internet Gateway like the main highway exit for your VPC:

• Resources in public subnets (like web servers) use it to send and receive traffic from the internet.
• Without it, your public-facing resources are isolated and inaccessible.

---

How to Set Up an Internet Gateway

1. Create an Internet Gateway:

   • Go to the VPC Dashboard > Internet Gateways.
   • Click Create Internet Gateway, name it, and attach it to your VPC.

2. Update the Routing Table:

   • Add a route to the routing table of your public subnet:
     • Destination: 0.0.0.0/0 (all internet traffic).
     • Target: Your newly created Internet Gateway.

3. Assign Public IPs to Instances:

   • Ensure your EC2 instances in the public subnet have Public IPs or Elastic IPs.

4. Test Connectivity:

   • Ping your instance’s public IP to confirm it is accessible from the internet.

---

What Are NAT Gateways (NGWs)?

A NAT Gateway (NGW) is a service that enables resources in private subnets to access the internet for outbound traffic, while keeping them protected from inbound internet traffic.

Key Features:

• Fully managed by AWS.
• Only handles outbound traffic and prevents direct inbound access.
• Scalable and fault-tolerant by default.
• Requires an Elastic IP to route outbound traffic.

---

Mental Model: NAT Gateway as a Secure Receptionist

Think of a NAT Gateway as a receptionist in an office:

• Employees (private instances) can make outbound calls (internet requests).
• However, external callers (internet traffic) can’t directly contact the employees.

---

How to Set Up a NAT Gateway

1. Create a NAT Gateway:

   • Go to the VPC Dashboard > NAT Gateways.
   • Click Create NAT Gateway and select a public subnet to place it in.
   • Assign an Elastic IP to the NAT Gateway.

2. Update the Routing Table:

   • Add a route to the routing table of your private subnet:
     • Destination: 0.0.0.0/0.
     • Target: Your newly created NAT Gateway.

3. Test Outbound Connectivity:

   • Launch an instance in the private subnet and verify outbound internet access (e.g., using curl or ping).

---

Elastic IPs vs Public IPs

In AWS, Elastic IPs (EIPs) and Public IPs are used to enable internet connectivity. Here’s how they differ:

Public IPs

• Automatically assigned to instances in public subnets if enabled during launch.
• Dynamic: Released when the instance stops or terminates.
• Best for temporary resources.

Elastic IPs

• Static IPs allocated manually to your AWS account.
• Persistent: Remains with your account until explicitly released.
• Required for NAT Gateways and ideal for production resources needing consistent IP addresses.

---

Key Differences Between IGWs and NGWs

• Internet Gateway (IGW):

  • Handles inbound and outbound internet traffic.
  • Used for public subnets and public-facing services.
  • Requires a Public IP for EC2 instances in public subnets.

• NAT Gateway (NGW):

  • Handles outbound internet traffic only.
  • Used for private subnets needing outbound access.
  • Requires an Elastic IP for the NAT Gateway.

---

Common Scenarios

1. Hosting a Public Website

• Use an Internet Gateway.
• Place your web servers in a public subnet.
• Assign Public IPs or Elastic IPs to your instances.

2. Backend Resources Needing Internet Access

• Use a NAT Gateway.
• Place databases, application servers, or internal tools in a private subnet.
• Route outbound traffic through the NAT Gateway.

3. Mixed Architecture

• Public-facing resources (like web servers) in a public subnet with an Internet Gateway.
• Private resources (like databases) in a private subnet with a NAT Gateway for updates or external communication.

---

Troubleshooting Common Issues

1. No Internet Access in Public Subnets

• Ensure the Internet Gateway is attached to the VPC.
• Verify that the routing table has a route to 0.0.0.0/0 pointing to the Internet Gateway.
• Assign a Public IP or Elastic IP to instances.

2. No Internet Access in Private Subnets

• Ensure the NAT Gateway is placed in a public subnet.
• Verify the routing table of the private subnet has a route to 0.0.0.0/0 pointing to the NAT Gateway.

3. Traffic Still Reaches Private Instances

• Confirm that security groups and NACLs restrict inbound traffic to private subnets.

---

Big Words Defined

• Internet Gateway (IGW): A VPC component that allows resources in public subnets to communicate with the internet.
• NAT Gateway (NGW): A VPC component that enables outbound internet access for resources in private subnets while blocking inbound traffic.
• Elastic IP (EIP): A static public IP address that you manually allocate and manage in AWS.
• Public IP: A temporary, dynamically assigned IP for instances in public subnets.
• Public Subnet: A subnet with resources that can communicate directly with the internet via an Internet Gateway.
• Private Subnet: A subnet with resources that are isolated from the internet and use a NAT Gateway for outbound access.

---

What’s Next?

Next, we’ll explore Security Groups and NACLs (Network Access Control Lists) — the layers of protection that keep your network safe from unauthorized access.