I want to create a network address translation (NAT) instance in a public subnet of my Amazon Virtual Private Cloud (VPC) to enable instances in the VPC private subnet to initiate outbound traffic to the Internet or other AWS services. How can I create a NAT instance in a public subnet of my VPC for this purpose?

A NAT instance can be configured to filter traffic as described at How to Add DNS Filtering to Your NAT Instance with Squid, deployed with a Jump Server, or used for port forwarding and traffic prioritization with methods available on most modern operating systems.

Because NAT instances are not managed by AWS, you are responsible for maintaining software and security updates, managing instance failures, and ensuring that inbound traffic is controlled with security groups. Customers can deploy AWS software that is not managed by AWS, but responsibility for the proper maintenance and management of the software then becomes a mutual endeavor as described in the AWS Shared Responsibility Model.

For common use cases, we recommend that you use a NAT gateway instead of a NAT instance. For more information about using a NAT gateway see Migrating From a NAT Instance in the Amazon Virtual Private Cloud User Guide.

  1. In the Amazon EC2 console, select the latest Amazon VPC NAT AMI or your custom NAT AMI.
  2. Choose Launch.
  3. Unless traffic is minimal, choose an instance type with enhanced networking, such as c4.large.
  4. Choose Configure Instance Details.
  5. Choose a Public Subnet (with IGW) in your VPC. Check each subnet in VPC Console Subnets if you are unsure. For a public subnet, the Route Table tab will specify a Destination similar to the following: igw-abcd1234.
  6. Choose Review and Launch.
  7. Choose Edit security groups and adjust for your inbound access requirements.
  8. Choose Launch and choose your key pair to complete the Launch Instance wizard.
  9. From EC2 Console Instances, right-click your instance; under Networking, choose Change Source/Destination Check, and then choose Disabled.
  10. From VPC Console Route Tables find each private route table.
    a) Choose the Route tab. A private route table will have a destination similar to eni-abcd1234 / i-098765abcdef12345.
    b) Choose Edit, and for the "" route, change the target to your new NAT Instance.
    c) Choose Save.
  11. Connect to an instance in a Private Subnet and verify that the instance on the private subnet is able to complete outbound internet requests.
  12. (Optional) Connect to the NAT instance and install OS-level tools and tuning options; for example:
         sudo yum install conntrack-tools

After installation is complete, you could run the following commands from the Linux shell to set the number of connections that should be monitored for purposes of optimizing the performance of the NAT instance:

cat <<EOF | sudo tee /etc/sysctl.d/custom_nat_tuning.conf

# for large instance types, allow keeping track of more

# connections (requires enough RAM)



sudo sysctl -p /etc/sysctl.d/custom_nat_tuning.conf

Amazon VPC, install NAT instance, DNS filtering, Jump server, port forwarding, network traffic prioritization, NAT gateway

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-05-06