Lab Information
The Nautilus DevOps team is tasked with enabling internet access for an EC2 instance running in a private subnet. This instance should be able to upload a test file to a public S3 bucket once it can access the internet. To minimize costs, the team has decided to use a NAT Instance instead of a NAT Gateway.
The following components already exist in the environment:
1) A VPC named nautilus-priv-vpc and a private subnet named nautilus-priv-subnet have been created.
2) An EC2 instance named nautilus-priv-ec2 is already running in the private subnet.
3) The EC2 instance is configured with a cron job that uploads a test file to the S3 bucket nautilus-nat-28334 every minute. Upload will only succeed once internet access is established.
Your task is to:
Create a new public subnet named nautilus-pub-subnet in the existing VPC.
Launch a NAT Instance in the public subnet using an Amazon Linux 2 AMI and name it nautilus-nat-instance. Configure this instance to act as a NAT instance. Make sure to use a custom security group for this instance.
After the configuration, verify that the test file nautilus-test.txt appears in the S3 bucket nautilus-nat-28334. This indicates successful internet access from the private EC2 instance via the NAT Instance.
Lab Solutions
๐น STEP 1: Create a Public Subnet
Go to VPC โ Subnets โ Create subnet
Configure:
VPC: nautilus-priv-vpc
Subnet name: nautilus-pub-subnet
AZ: same region (any AZ)
CIDR: e.g. 10.1.2.0/24 (must NOT overlap)
Create subnet
Enable public IP auto-assign
Select nautilus-pub-subnet
Actions โ Edit subnet settings
Enable:
โ Auto-assign public IPv4 address
Save
๐น STEP 2: Ensure Internet Gateway Exists
Go to VPC โ Internet Gateways
If none exists:
Create one (e.g. nautilus-igw)
Attach it to nautilus-priv-vpc
๐น STEP 3: Create Route Table for Public Subnet
Go to VPC โ Route Tables โ Create route table
Configure:
Name: nautilus-pub-rt
VPC: nautilus-priv-vpc
Create
Add route to Internet
Edit routes โ Add:
Destination: 0.0.0.0/0
Target: Internet Gateway
Associate with public subnet
Subnet associations โ Edit
Select nautilus-pub-subnet
Save
๐น STEP 4: Create Security Group for NAT Instance
EC2 โ Security Groups โ Create
Configure:
Name: nautilus-nat-sg
VPC: nautilus-priv-vpc
Inbound rules
Type Source
All traffic Private subnet CIDR (e.g. 10.1.0.0/16)
SSH to All traffic
Create SG.
๐น STEP 5: Launch NAT Instance
EC2 โ Launch instance
Configure:
Basic
Name: nautilus-nat-instance
AMI: Amazon Linux 2
Instance type: t2.micro
Network
VPC: nautilus-priv-vpc
Subnet: nautilus-pub-subnet
Auto-assign public IP: Enabled
Security group: nautilus-nat-sg
Launch instance
๐น STEP 6: Disable Source/Destination Check (CRITICAL)
Select nautilus-nat-instance
Actions โ Networking โ Change source/destination check
Disable it
Save
โ ๏ธ If you skip this step, NAT will not work
๐น STEP 7: Enable IP Forwarding on NAT Instance
Connect to the NAT instance (via SSH or EC2 Instance Connect):
sudo sysctl -w net.ipv4.ip_forward=1
#Make it persistent:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo yum install -y iptables-services
sudo service iptables save
sudo systemctl enable iptables
sudo systemctl start iptables
sudo systemctl status iptables
๐น STEP 8: Update Private Subnet Route Table
Go to VPC โ Route Tables
Select the route table associated with nautilus-priv-subnet
Edit routes โ Add:
Destination Target
0.0.0.0/0 nautilus-nat-instance (instance ID)
Save.
๐งช VERIFICATION (FINAL & IMPORTANT)
Wait 1โ2 minutes (cron runs every minute)
Then check S3:
aws s3 ls s3://nautilus-nat-28334
Top comments (0)