Why can't my Amazon EC2 instance in a private subnet connect to the internet using a NAT gateway?

3 minute read
0

I created a NAT gateway to reach the internet from my Amazon Elastic Compute Cloud (Amazon EC2) instance. My instance uses HTTP or HTTPS ports in a private subnet, but isn't able to reach the internet.

Resolution

Verify that the instances meet the following conditions:

1.    The destination is reachable by pinging the destination from another source using a public IP address.

2.    The NAT gateway is in the Available state. If the NAT gateway is in the Failed state, then see NAT gateway creation fails.

Note: A NAT gateway in the Failed state automatically deletes after about an hour.

3.    You created your NAT gateway in a public subnet, and the public route table has a default route pointing to an internet gateway.

4.    The private subnet's route table has a default route pointing to the NAT gateway.

Important: Make sure that you're not using the same route table for both the private and the public subnet. Using the same route table means that traffic isn't routed to the internet.

5.    The enableDnsSupport attribute is set to true in the VPC. For more information, see View and update DNS attributes for your VPC.

Note: Turn on DNS to prevent DNS resolution failure.

6.    Firewalls aren't blocking traffic over ports 80 (for HTTP traffic) and 443 (for HTTPS traffic). Make sure that you check for a firewall blocking traffic on the destination host. You can use the following example command to check for firewalls:

$ telnet PUBLIC_IP TCP_PORT

7.    The security group attached to the instance's elastic network interface allows outbound traffic to ports 80 and 443. For more information, see Amazon EC2 security groups for Linux instances or Amazon EC2 security groups for Windows instances.

8.    The following examples have rules allowing inbound and outbound traffic on ports 80 and 443 using the destination IP address 0.0.0.0/0:

  • The network Access Control Lists (ACLs) associated with the private subnet where the instance is located.
  • The network ACLs associated with the public subnet where the NAT Gateway is located.

To allow your Amazon EC2 instances to access an HTTPS website, the network ACL associated with the NAT gateway subnet must have the following rules:

Inbound rules

SourceProtocolPort RangeAllow / Deny
VPC CIDRTCP443ALLOW
PUBLIC_IPTCP1024-65535ALLOW

Outbound rules

DestinationProtocolPort RangeAllow / Deny
PUBLIC_IPTCP443ALLOW
VPC CIDRTCP1024-65535ALLOW

For more information on configuring network ACLs, see Work with network ACLs.


Related information

NAT gateways

Configure route tables

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago