Why can't my EC2 instance in a private subnet connect to the internet using a NAT gateway?
Last updated: 2020-11-27
I created a NAT gateway to reach the internet from my Amazon Elastic Compute Cloud (Amazon EC2) instance in a private subnet, but my instance is not able to reach the internet. How do I fix this?
Verify that the instances meet the following conditions:
1. The destination is reachable by pinging the destination from another source using a public IP address.
2. The NAT gateway is in the Available state. If the NAT gateway is in the Failed state, follow the troubleshooting steps at NAT gateway goes to a status of failed. Note: A NAT gateway in the Failed state automatically deletes after about an hour.
4. The private subnet’s route table has a default route pointing to the NAT gateway. Note: Make sure that you’re not using the same route table for both the private and the public subnet. Using the same route table means that traffic isn't routed to the internet.
5. The enableDnsSupport attribute is set to true in the VPC. For more information, see Viewing and updating DNS support for your VPC.
6. No software firewalls block traffic over HTTP or HTTPs.
7. The security group attached to the instance's Elastic Network Interface allows outbound traffic to ports 80 (for HTTP traffic) and 443 (for HTTPs traffic). For more information, see Amazon EC2 security groups for Linux instances or Amazon EC2 security groups for Windows instances.
8. Both of the following have rules allowing inbound and outbound traffic on ports 80 and 443 using the destination IP address 0.0.0.0/0:
- The network Access Control Lists (ACLs) associated with the private subnet where the instance is located
- The network ACLs associated with the public subnet where the NAT Gateway is located.
For example, to allow your EC2 instances to access an HTTPS website, the network ACL associated with the NAT gateway subnet must have the rules below.
|Source||Protocol||Port Range||Allow / Deny|
|Destination||Protocol||Port Range||Allow / Deny|