官术网_书友最值得收藏!

Connecting private subnets to the internet

To connect an IPv4 private subnet to the internet, we can use a NAT gateway. The NAT gateway will allow all outgoing traffic to pass to the internet and is used when we require the instances in the private subnet to access the internet.

This allows us to access external services even from the private network, such as the following:

  • Retrieve operating system and application updates and patches
  • Communicate with external services, such as payment gateways and processing tools
  • Synchronize time with an external NTP service
  • Access external DNS and other services

A NAT gateway has the following features:

  • Supports 5 GBps of bandwidth and automatically scales up to 45 GBps
  • Supports up to 55,000 simultaneous TCP, UDP, and ICMP connections to each unique destination
  • Can associate exactly one Elastic IP address with a NAT gateway – once created, it cannot be dissociated
  • Cannot associate a security group with a NAT gateway, but access can be controlled at the instance level with security groups
  • A NAT gateway has an automatically assigned private IP in your subnet that can be viewed in the AWS management console

If the performance of a single NAT instance is not satisfactory, we can create multiple NAT gateways.

In case we are using an IPv6 environment, we will need to use an egress-only internet gateway. The egress-only gateway has all the characteristics of an internet gateway, the only difference being that it blocks all incoming traffic to the IPv6 address space that we assign to our private subnet. We are thus able to achieve the same kind of operation as we would with an IPv4 NAT gateway without all the limitations that come with the NAT gateway.

There are also scenarios where the NAT gateway or the egress-only gateway are not the right solution. This would happen in cases where we require a single instance to handle greater volumes of IPv4 traffic or to retain control over the IPv4 or IPv6 traffic being passed to the internet. In certain situations, allowing all traffic to the internet via a NAT instance or egress-only gateway is not allowed or would not be compliant with certain rules. In this kind of scenario, we can spin up our own NAT instance with our own custom software running on it. We are also able to do additional traffic shaping and security checks with our own NAT instances, especially when they have some kind of packet inspection and firewalling software installed on it. To control IPv6 traffic, our instance will be using routing instead of NAT and control the flow of the traffic on the firewall level.

主站蜘蛛池模板: 昌邑市| 榆树市| 勃利县| 衡阳县| 江津市| 台安县| 甘南县| 攀枝花市| 新巴尔虎左旗| 公主岭市| 自贡市| 黑山县| 孟连| 盈江县| 西林县| 云南省| 双城市| 酉阳| 比如县| 太谷县| 鲜城| 胶州市| 凤冈县| 义乌市| 民乐县| 吉水县| 霍州市| 新民市| 河津市| 永德县| 靖边县| 镇康县| 泰安市| 阜新| 仪陇县| 上高县| 黄大仙区| 巨鹿县| 东丽区| 台东市| 荆门市|