Why can't my Amazon EC2 instance in a private subnet connect to the internet using a NAT gateway?
Last updated: 2022-05-12
I created a NAT gateway to reach the internet from my Amazon Elastic Compute Cloud (Amazon EC2) instance. My instance uses HTTP or HTTPS ports in a private subnet, but isn't able to reach the internet. How do I fix this?
Verify that the instances meet the following conditions:
1. The destination is reachable by pinging the destination from another source using a public IP address.
2. The NAT gateway is in the Available state. If the NAT gateway is in the Failed state, then see NAT gateway creation fails.
Note: A NAT gateway in the Failed state automatically deletes after about an hour.
4. The private subnet's route table has a default route pointing to the NAT gateway.
Important: Make sure that you're not using the same route table for both the private and the public subnet. Using the same route table means that traffic isn't routed to the internet.
5. The enableDnsSupport attribute is set to true in the VPC. For more information, see View and update DNS attributes for your VPC.
Note: Turn on DNS to prevent DNS resolution failure.
6. Firewalls aren't blocking traffic over ports 80 (for HTTP traffic) and 443 (for HTTPS traffic). Make sure that you check for a firewall blocking traffic on the destination host. You can use the following example command to check for firewalls:
$ telnet PUBLIC_IP TCP_PORT
7. The security group attached to the instance's elastic network interface allows outbound traffic to ports 80 and 443. For more information, see Amazon EC2 security groups for Linux instances or Amazon EC2 security groups for Windows instances.
8. The following examples have rules allowing inbound and outbound traffic on ports 80 and 443 using the destination IP address 0.0.0.0/0:
- The network Access Control Lists (ACLs) associated with the private subnet where the instance is located.
- The network ACLs associated with the public subnet where the NAT Gateway is located.
To allow your Amazon EC2 instances to access an HTTPS website, the network ACL associated with the NAT gateway subnet must have the following rules:
|Source||Protocol||Port Range||Allow / Deny|
|Destination||Protocol||Port Range||Allow / Deny|
For more information on configuring network ACLs, see Work with network ACLs.