> For the complete documentation index, see [llms.txt](https://ghoulsec.gitbook.io/ghoulsec-vault/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ghoulsec.gitbook.io/ghoulsec-vault/cyber-security-base/cloud-security/amazon-web-services-aws/aws-nat-gateway.md).

# AWS NAT Gateway

<figure><img src="/files/PojP0MafuW14F8N2Gr0W" alt=""><figcaption><p>AWS NAT Gateway : Block Diagram</p></figcaption></figure>

***

**1. Create a VPC (if not already created)**

* **Action**: Go to the AWS VPC dashboard and create a new VPC if one is not already available. Specify the CIDR block (e.g., `12.0.0.0/16`).

**2. Create Subnets**

* **Action**: Create at least two subnets within the VPC:
  * **Public Subnet** (for NAT Gateway and resources that need internet access)
  * **Private Subnet** (for resources like EC2 instances that need outbound internet access via NAT)
* Choose appropriate availability zones for fault tolerance.

**3. Set Up Internet Gateway (for Public Subnet)**

* **Action**: Create an **Internet Gateway** (IGW) and attach it to the VPC. This will enable internet access for resources in the public subnet (like the NAT Gateway).

**4. Create Route Tables**

* **Action**:
  * Create a **route table** for the **public subnet**. Add a route with destination `0.0.0.0/0` pointing to the Internet Gateway (IGW).
  * Create a **route table** for the **private subnet**. Add a route with destination `0.0.0.0/0` pointing to the NAT Gateway (which will be created in the next steps).
* **Association**: Associate the public subnet route table to the public subnet and the private subnet route table to the private subnet.

**5. Launch a NAT Gateway**

* **Action**:
  * In the **public subnet**, launch a **NAT Gateway**. You will need to allocate an **Elastic IP (EIP)** for the NAT Gateway.
  * Ensure that the NAT Gateway has the correct route to access the internet via the Internet Gateway.

**6. Update Private Subnet's Route Table**

* **Action**:
  * Edit the **route table** for the private subnet to route all outbound internet traffic (`0.0.0.0/0`) to the newly created NAT Gateway.
  * Ensure that the NAT Gateway is associated with the public subnet.

**7. Launch a Private EC2 Instance**

* **Action**: Launch an EC2 instance in the **private subnet**. Ensure that it doesn’t have a public IP address, as it will access the internet through the NAT Gateway.

**8. Security Group Configuration**

* **Action**:
  * Ensure that the EC2 instances (both public and private) have the correct **security group** settings.
  * For example, allow inbound traffic on port 22 (SSH) or port 80/443 (HTTP/HTTPS) as needed. You may also need to set up **outbound traffic** to ensure communication with the NAT Gateway.

**9. Test Connectivity**

* **Action**:
  * SSH into the EC2 instance in the **public subnet** (which has internet access).
  * From there, try to **SSH into the private EC2 instance** using its private IP address.
  * Alternatively, you can use a **bastion host** (an EC2 instance in the public subnet) to SSH into the private instance.
  * Test that the private EC2 instance can access the internet via the NAT Gateway (e.g., by pinging an external server or running `curl` to an external website).

**10. Set Up Logging and Monitoring**

* **Action**:
  * Enable **VPC Flow Logs** for both private and public subnets to capture the traffic flow data.
  * Set up **CloudWatch metrics and alarms** for the NAT Gateway to monitor its usage and performance.

**11. Cleanup (if testing/temporary setup)**

* **Action**: If this setup was for testing purposes, remember to clean up your resources:
  * Terminate the EC2 instances.
  * Release the Elastic IP.
  * Delete the NAT Gateway and Internet Gateway.
  * Remove route tables and subnets if no longer needed.

***

#### **Summary of Key Components**

* **VPC**: Contains your networking environment.
* **Public Subnet**: Houses the NAT Gateway, which provides internet access.
* **Private Subnet**: Houses your EC2 instance that uses the NAT Gateway for internet access.
* **NAT Gateway**: Provides internet access to private subnet instances without exposing them directly to the internet.
* **Route Tables**: Direct traffic from private subnet instances to the NAT Gateway.

***

Here we have sucessfully configured the NAT gateway on the AWS - VPC


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ghoulsec.gitbook.io/ghoulsec-vault/cyber-security-base/cloud-security/amazon-web-services-aws/aws-nat-gateway.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.