Why can't my EC2 instance in a private subnet connect to the internet using a NAT gateway?

Last updated: 2021-08-17

I created a NAT gateway to reach the internet from my Amazon Elastic Compute Cloud (Amazon EC2) instance using HTTP or HTTPS ports in a private subnet. But, my instance is not able to reach the internet. How do I fix this?

Resolution

Verify that the instances meet the following conditions:

1.    The destination is reachable by pinging the destination from another source using a public IP address.

2.    The NAT gateway is in the Available state. If the NAT gateway is in the Failed state, see NAT gateway creation fails.

Note: A NAT gateway in the Failed state automatically deletes after about an hour.

3.    You created your NAT gateway in a public subnet, and the public route table has a default route pointing to an internet gateway.

4.    The private subnet's route table has a default route pointing to the NAT gateway.

Note: Make sure that you're not using the same route table for both the private and the public subnet. Using the same route table means that traffic isn't routed to the internet.

5.    The enableDnsSupport attribute is set to true in the VPC. For more information, see View and update DNS attributes for your VPC.

Note: Enable DNS to prevent DNS resolution failure.

6.    Software firewalls aren't blocking traffic over HTTP or HTTPS. Make sure that you check for a firewall blocking traffic on the destination host. You can use the following example command to check for firewalls:

$ telnet PUBLIC_IP TCP_PORT

7.    The security group attached to the instance's elastic network interface allows outbound traffic to ports 80 (for HTTP traffic) and 443 (for HTTPS traffic). For more information, see Amazon EC2 security groups for Linux instances or Amazon EC2 security groups for Windows instances.

8.    Both of the following have rules allowing inbound and outbound traffic on ports 80 and 443 using the destination IP address 0.0.0.0/0:

  • The network Access Control Lists (ACLs) associated with the private subnet where the instance is located.
  • The network ACLs associated with the public subnet where the NAT Gateway is located.

For example, to allow your EC2 instances to access an HTTPS website, the network ACL associated with the NAT gateway subnet must have the rules below.

Inbound rules:

Source Protocol Port Range Allow / Deny
VPC CIDR TCP 443 ALLOW
PUBLIC_IP TCP 1024-65535 ALLOW

Outbound rules:

Destination Protocol Port Range Allow / Deny
PUBLIC_IP TCP 443 ALLOW
VPC CIDR TCP 1024-65535 ALLOW

For more information on configuring network ACLs, see Work with network ACLs.

For more information on routing traffic in a VPC, see VPCs and subnets.


Did this article help?


Do you need billing or technical support?