Why can't my EC2 instance in a private subnet connect to the internet using a NAT gateway?

Last updated: 2020-11-27

I created a NAT gateway to reach the internet from my Amazon Elastic Compute Cloud (Amazon EC2) instance in a private subnet, but my instance is not able to reach the internet. How do I fix this?

Resolution

Verify that the instances meet the following conditions:

1.    The destination is reachable by pinging the destination from another source using a public IP address.

2.    The NAT gateway is in the Available state. If the NAT gateway is in the Failed state, follow the troubleshooting steps at NAT gateway goes to a status of failed. Note: A NAT gateway in the Failed state automatically deletes after about an hour.

3.    You created your NAT gateway in a public subnet, and the public route table has a default route pointing to an internet gateway.

4.    The private subnet’s route table has a default route pointing to the NAT gateway. Note: Make sure that you’re not using the same route table for both the private and the public subnet. Using the same route table means that traffic isn't routed to the internet.

5.    The enableDnsSupport attribute is set to true in the VPC. For more information, see Viewing and updating DNS support for your VPC.

6.    No software firewalls block traffic over HTTP or HTTPs.

7.    The security group attached to the instance's Elastic Network Interface allows outbound traffic to ports 80 (for HTTP traffic) and 443 (for HTTPs traffic). For more information, see Amazon EC2 security groups for Linux instances or Amazon EC2 security groups for Windows instances.

8.    Both of the following have rules allowing inbound and outbound traffic on ports 80 and 443 using the destination IP address 0.0.0.0/0:

  • The network Access Control Lists (ACLs) associated with the private subnet where the instance is located
  • The network ACLs associated with the public subnet where the NAT Gateway is located.

For example, to allow your EC2 instances to access an HTTPS website, the network ACL associated with the NAT gateway subnet must have the rules below.

Inbound rules:

Source Protocol Port Range Allow / Deny
VPC CIDR TCP 443 ALLOW
Internet IP TCP 1024-65535 ALLOW

Outbound rules:

Destination Protocol Port Range Allow / Deny
Internet IP TCP 443 ALLOW
VPC CIDR TCP 1024-65535 ALLOW

For more information on configuring network ACLs, see Working with network ACLs.
For more information on routing traffic in a VPC, see VPCs and subnets.


Did this article help?


Do you need billing or technical support?