官术网_书友最值得收藏!

Connecting private subnets to the internet

To connect an IPv4 private subnet to the internet, we can use a NAT gateway. The NAT gateway will allow all outgoing traffic to pass to the internet and is used when we require the instances in the private subnet to access the internet.

This allows us to access external services even from the private network, such as the following:

  • Retrieve operating system and application updates and patches
  • Communicate with external services, such as payment gateways and processing tools
  • Synchronize time with an external NTP service
  • Access external DNS and other services

A NAT gateway has the following features:

  • Supports 5 GBps of bandwidth and automatically scales up to 45 GBps
  • Supports up to 55,000 simultaneous TCP, UDP, and ICMP connections to each unique destination
  • Can associate exactly one Elastic IP address with a NAT gateway – once created, it cannot be dissociated
  • Cannot associate a security group with a NAT gateway, but access can be controlled at the instance level with security groups
  • A NAT gateway has an automatically assigned private IP in your subnet that can be viewed in the AWS management console

If the performance of a single NAT instance is not satisfactory, we can create multiple NAT gateways.

In case we are using an IPv6 environment, we will need to use an egress-only internet gateway. The egress-only gateway has all the characteristics of an internet gateway, the only difference being that it blocks all incoming traffic to the IPv6 address space that we assign to our private subnet. We are thus able to achieve the same kind of operation as we would with an IPv4 NAT gateway without all the limitations that come with the NAT gateway.

There are also scenarios where the NAT gateway or the egress-only gateway are not the right solution. This would happen in cases where we require a single instance to handle greater volumes of IPv4 traffic or to retain control over the IPv4 or IPv6 traffic being passed to the internet. In certain situations, allowing all traffic to the internet via a NAT instance or egress-only gateway is not allowed or would not be compliant with certain rules. In this kind of scenario, we can spin up our own NAT instance with our own custom software running on it. We are also able to do additional traffic shaping and security checks with our own NAT instances, especially when they have some kind of packet inspection and firewalling software installed on it. To control IPv6 traffic, our instance will be using routing instead of NAT and control the flow of the traffic on the firewall level.

主站蜘蛛池模板: 正镶白旗| 赤水市| 翼城县| 江孜县| 开平市| 保靖县| 东光县| 福清市| 安图县| 石家庄市| 田东县| 通渭县| 新竹市| 瓦房店市| 城口县| 庆阳市| 栖霞市| 武威市| 北票市| 凌云县| 卢氏县| 西丰县| 英超| 卫辉市| 富川| 上高县| 德清县| 博兴县| 江油市| 汉中市| 伊宁县| 南皮县| 高安市| 通州市| 玛纳斯县| 海兴县| 卫辉市| 乌恰县| 杭锦后旗| 会理县| 吉安县|