Why can't my EC2 instances access the internet using a NAT gateway?

Last updated: 2019-09-06

I created a network address translation (NAT) gateway to enable my Amazon Elastic Compute Cloud (Amazon EC2) instances to connect to the internet. However, I'm still unable to access the internet from my EC2 instances. Why can't my EC2 instances access the internet using a NAT gateway?

Resolution

Internet connectivity issues with NAT gateways are typically caused by subnet misconfigurations or missing routes. To troubleshoot issues connecting to the internet with your NAT gateway, verify the following:

  • The subnet where the NAT gateway was launched is associated with a route table that has a default route to an internet gateway.
  • The subnet where your EC2 instances were launched is associated with a route table that has a default route to the NAT gateway.
  • Outbound internet traffic is allowed in both the security groups and the network access control list (ACL) that is associated with your source instance.
  • The network ACL associated with the subnet where the NAT gateway was launched allows inbound traffic from the EC2 instances and the internet hosts. Also verify that the network ACL allows outbound traffic to the internet hosts and to the EC2 instances. For example, to allow your EC2 instances to access an HTTPS website, the network ACL associated with the NAT gateway subnet must have the rules below.

Inbound rules:

Source Protocol Port Range Allow / Deny
VPC CIDR TCP 443 ALLOW
Internet IP TCP 1024-65535 ALLOW

Outbound rules:

Destination Protocol Port Range Allow / Deny
Internet IP TCP 443 ALLOW
VPC CIDR TCP 1024-65535 ALLOW
1024-65535
1024-65535

Did this article help you?

Anything we could improve?


Need more help?