Ref: https://learn.cantrill.io/courses/1820301/lectures/41301357 and https://learn.cantrill.io/courses/1820301/lectures/41301358

DEMO: https://learn.cantrill.io/courses/1820301/lectures/42262547

• Summary
• Contents:

Common Scenario: Software Updates for Private EC2 Instances

• 💡 Private EC2 instances = instances deployed in a VPC → by default isolated from the internet
• What if instances must get a latest patch from the internet? → Possible solutions:
  1. Make the subnet public so instances can connect to public internet and fetch updates
     • 👎 Problem: often not a desired architecture → multi-tiered architectures have private and public subnets for important security reasons
  2. Host update servers in EC2 instances inside the VPC
     • 👎 Problem: has extra admin overhead
       • Manually download patches from the internet, then upload them to the update servers…
  3. Usually BEST solution: use Network Address Translation (NAT) in a public subnet of the VPC
     • Can deploy a customer-managed EC2 instance that performs NAT in the public subnet → NAT instance
     • Can deploy an AWS-managed NAT Gateway (NATGW) in the public subnet

Refresher: What is NAT (Network Address Translation)?

• Def = a set of processes that remap SRC or DST IP addresses of packets
• ❗Only relevant for IPv4! IPv6 doesn't use NAT!
• Types depending on private IP ↔ public IP relationship:
  1. Static NAT: 1-to-1 relationship (used by IGW)
  2. Dynamic NAT: many-to-few relationship
  3. Port Address Translation (PAT): many-to-1 relationship (used by NATGW)
• PAT = IP masquerading
  • = hiding (private) CIDR blocks behind one (public) IP
  • popular because it addresses IPv4 shortages
  • = process of giving a resource outgoing-only access to the public internet/AWS public zone
    • Possible for private hosts to initiate connections with internet hosts by sending requests, internet hosts can then send responses
    • Internet hosts can not initiate connections with private hosts (incoming access doesn't work)
• ‼️ Most people think of PAT/IP masquerading when hearing NAT. But correctly speaking, PAT is only a subset of NAT!
  • For the rest of this lesson we will consider NAT and PAT it as synonyms
• NAT in AWS can be achieved with
  • Customer-managed EC2 instances that perform NAT (NAT instances)
  • AWS-managed NAT Gateways (NATGWs)

NAT Architecture in VPC

Diagram: https://github.com/acantril/aws-dev-associate/blob/main/09-VPCBasics/00_LearningAids/NATArchitecture.png

• 💡 NB: We will show and mention NATGW in this section, but the NATGW could be replaced with a NAT instance, and all would stay the same.