AWS VPC – Understanding Public and Private Subnets in VPC

amazon-vpcamazon-web-servicesiptables

IANA established certain blocks of IP as private IP range(shown below)

    10.0.0.0 – 10.255.255.255   (255.0.0.0)
    172.16.0.0 – 172.31.255.255  (255.255.0.0)
    192.168.0.0 – 192.168.255.255  (255.255.255.0)

Public IP addresses will be issued by an Internet Service Provider and will have number ranges from 1 to 191 in the first octet, with the exception of the private address ranges that start at 10.0.0 for Class A private networks and 172.16.0 for the Class B private addresses.

To subnet a VPC into one private subnet and one public subnet per zone (as shown below):

Application server sits in private subnet.

NAT gateway and bastion server sits in public subnet

1) Do I need to use private IP range(only) for two private subnets?

2) Do I need to use public IP range(only) for two public subnets?

Best Answer

The whole VPC has one large private address block, e.g. 10.20.0.0/16 and your subnets have slices of this block, e.g.

public-az1 and public-az2 will have 10.20.0.0/24 and 10.20.1.0/24
private-az1 and private-az2 will have 10.20.2/24 and 10.20.3.0/24

In addition the EC2 instances in the public subnets can have a Public IP or Elastic IP assigned as well. These are allocated one by one by AWS and assigned to the individual instances as requested.

Update: refer to my other answer for details: NAT gateway for ec2 instances

Generally you will have 2 kinds of subnets in a VPC:

Public subnet
- has IGW and optionally NAT
- 0.0.0.0/0 there points to the IGW
- hosts (EC2 instances) get their primary private IPs from the VPC range (10.20.0.0/16), but also ...
- hosts must have public IP or elastic IP attached as they go directly to the internet
- hosts can be contacted from the internet on this public/elastic IP (if Security Group permits)
Private subnet
- has no IGW or NAT
- the 0.0.0.0/0 points to the NAT in the public subnet above
- hosts only have private IP from the VPC range and all outbound access is "masked" to the NAT gateway IP
- hosts can initiate connections to the internet but can't be contacted from outside as they are "hidden" behind the NAT (Network Address Translation gateway).
- without NAT configured hosts won't have internet access

Hope that clarifies it :)

Step 1: Enable IP Forwarding (Bastion Host)

SSH to the bastion host and at the prompt, execute the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2: Modify IP Tables (Bastion Host)

SSH to the bastion host and at the prompt, execute the following commands:

sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport {PUBLIC_SSH_PORT} -j DNAT --to-destination {PRIVATE_IP_ADDRESS}:22
sudo iptables -t nat -A POSTROUTING -p tcp -m tcp --dport {PUBLIC_SSH_PORT} -j MASQUERADE

where:

{PUBLIC_SSH_PORT} is the port on the bastion host you plan to connect through
{PRIVATE_IP_ADDRESS} is the address of the server in the private subnet you plan to connect to

For more detailed information on what these configurations mean, you can run the following commands at the command prompt to view the man pages:

man iptables
man iptables-extensions

Step 3: Configure Security Groups (Amazon AWS Console)

Login to your Amazon AWS console and navigate to the Security Groups dashboard. Edit the security group assigned to your bastion host and add:

Custom TCP Rule to allow inbound and outbound connections on {PUBLIC_SSH_PORT} from whatever IP address you will be connecting from
Custom TCP Rule to allow inbound and outbound connections for All Traffic to/from the security group of the private server (type in the security group ID in the Custom IP field) - you could restrict this to just SSH traffic but if you have other services and servers running that you need to access, this is the simplest configuration

Edit the security group assigned to your private server and add:

Custom TCP Rule to allow inbound and outbound connections for All Traffic to/from the security group of the bastion host (type in the security group ID in the Custom IP field) - you could restrict this to just SSH traffic but if you have other services and servers running that you need to access, this is the simplest configuration

Step 4: Disable Source/Destination check (Amazon AWS Console)

Login to your Amazon AWS console and navigate to the Instances dashboard. Click on the bastion host that you just configured to forward connections. Disable source/destination checks from the action menu. This is the only device for which source/destination checks need to be disabled.

Step 5: Make Configurations Persistent (Across Server Restarts)

Modify the /etc/sysctl.conf file, and update the following line (change 0 to 1):

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Save the iptables configuration (to /etc/sysconfig/iptables) so it will be reloaded on boot:

sudo service iptables save

And finally, make sure that iptables itself starts up on boot:

sudo chkconfig iptables on

NOTE: You don't need to setup and configure a separate Amazon NAT instance to gain SSH access to private servers. The NAT instance is ideal if you plan to manage Internet access for various devices you may have within your private subnet.

Best Answer

Related Solutions

AWS VPC – why have a private subnet at all

Ssh – VPC SSH port forward into private subnet

Step 1: Enable IP Forwarding (Bastion Host)

Step 2: Modify IP Tables (Bastion Host)

Step 3: Configure Security Groups (Amazon AWS Console)

Step 4: Disable Source/Destination check (Amazon AWS Console)

Step 5: Make Configurations Persistent (Across Server Restarts)

Related Topic