As the Federal Government looks to adopt cloud services from Amazon Web Services, many agencies are looking to AWS GovCloud to be that provider because services have been accredited by the FedRAMP program. While this is a far better pill to swallow for security programs, it’s somewhat more of a headache for most developers and network engineers. Many of the key services available to users of AWS are just not available in GovCloud for inexplicable, undocumented and unexplained reasons. One such example is a lack of a NAT Gateway service in their VPC service (Virtual Private Cloud). While all the other services are available, the lack of a NAT Gateway can make a network engineer’s job a little more difficult when trying to lock down virtual private clouds from attack while also allowing machines to reach back to the internet for necessary security updates.
Don’t fret! Setting up a NAT Gateway is not a particularly difficult task if you’re aware of a few gotchas along the way.
I’m going to assume you have set up your VPC and have set up a public and private subnet within it. While you will probably lock down ports using Network ACLs to your private network to things like SSH, HTTP, and HTTPS, it’s very important that you open up your public network to a host of ephemeral ports that will be used by the NAT Gateway (in this case 1025-5000). These ports will be used by our NAT gateway to hold sessions for the virtual machines in our internal network. Lastly, you’ll want to set up an Internet Gateway on your public network.
Step 1) Setting up the Routing Rules for your public network
Let’s set up some quick routing rules for our VPC’s public network. You’ll want to establish open routes for the VPC and be able to connect to the internet gateway. Generally, it should look like this:
Step 2) Creating your NAT Gateway Server
Next, it’s time to jump over to EC2 and launch a Virtual Machine. For my network, I set up an ubuntu server on a micro instance. I chose this because it is low cost and it will allow me to scale upwards when I need to. Scaling too large and having to cut back will just create far more work in the long run. As you build your instance, you’ll want to ensure your ubuntu server has the following attributes before launching:
- An Elastic IP
- Assigned within your public network
- Protected against accidental termination
- Lock down the security group rules to only allow SSH and your ephemeral ports.
Once you’ve spun up your instance, disable Source/Destination check on the instance.
Step 3) Setting up Routing Rules for your private network
Routing rules for your internal network are going to look fairly similar to your public network, however, instead of the open destination (0.0.0.0/0) being your IGW you’rere going to type in the instance id of the server you just spun up. This will route all traffic from your private network through your NAT Gateway.
Step 4) Configuring the NAT Gateway Server
Time to get out of the AWS Console and into putty. After SSHing into your virtual machine, you’ll want to confirm you have public internet access. This can be done by running the following command:
Next, we will want to configure iptables so to do our IP masquerading. Copy and paste then you’re done!
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.11.0.0/16 -j MASQUERADE
' | sudo tee /etc/network/if-pre-up.d/nat-setup
sudo chmod +x /etc/network/if-pre-up.d/nat-setup
Congrats! You now have a fully functional NAT Gateway in AWS GovCloud!
One thought to “Creating a NAT Gateway in AWS GovCloud”
As of March 19th, 2018, AWS supports NAT Gateways on GovCloud https://aws.amazon.com/about-aws/whats-new/2018/03/introducing-amazon-vpc-nat-gateway-in-the-aws-govcloud-us-region/