How to connect a private subnet to internet without NAT nor EIP on AWS?

h2ogeek · December 29, 2021, 11:00am

In our current VPC we are using and ASG and ALB. We have some public subnets and some private subnets. We would like to be able to connect from time to time, those private subnets to pull some patches out of the internet.

Is my understand that the NAT Gateway requires an EIP. The EIP does not seem to be able to play with the ASG, since it spect an instance/IP. Not sure if the ASG is able to link an EC2 ( can be terminated ) to the EIP.

What changes shall I make to allow those private subnets to access internet, considering my constrains?

Changing the ALB for an ELB is not an option!

stuart-c · December 29, 2021, 12:35pm

This is really an AWS questions rather than anything specifically to do with Terraform, so the documentation and discussion groups they host might be the best option.

Having said that, yes a NAT gateway would have a public IP address associated to allow access from the private subnet to the Internet. An ALB in the public subnet would also have a public IP address to allow access from the Internet.

The fact you are using an ASG has nothing to do with this (unless you are trying to associate an EIP directly with an EC2 instances, but you are talking about NAT & ALBs). You would setup a NAT gateway (or ideally multiple spread over different AZ for HA) to connect the private subnet to the Internet, an internet gateway in the public subnet and an ALB in the public subnet. You’d then have an ASG that creates multiple EC2 instances as required, with access inwards via the ALB and outwards via the NAT gateway.

silentmac · December 29, 2021, 7:09pm

You have many options from easiest to most difficult to implement below:

NAT Gateway
NAT Instance
Squid Egress Proxy in Public Subnet
Squid Egress Proxy in another VPC with PrivateLink endpoints

A NAT Gateway is the easiest to setup and made even more simple by using the AWS VPC terraform registry module below.

https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true

  tags = {
    Terraform = "true"
    Environment = "dev"
  }
}

Topic		Replies	Views
Instances without Internet (using terraform-aws-modules: asg, vpc, alb) AWS	0	147	December 30, 2023
How to associate multiple EIP's to NAT Gateway using Terraform AWS	1	1057	May 26, 2023
Unable to connect internet on EC2 instance CDK for Terraform	7	1370	February 17, 2022
Network already has an internet gateway AWS	1	1989	April 27, 2021
VPC Module - How are subnets assigned to availability zones? AWS	1	867	November 5, 2024

How to connect a private subnet to internet without NAT nor EIP on AWS?

Related topics