Start tracking your progress
Trailhead Home
Trailhead Home

Get Connected With Amazon VPC Gateways

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain the use cases for internet gateways.
  • Explain the use cases for network address translation (NAT) gateways.
  • Differentiate between public and private subnets.

In the last unit, you learned that a new VPC is isolated and only has access to local resources. When you place a resource, such as an EC2 instance, inside a subnet in your new VPC, it can be protected from being exposed to the internet by default. 

However, for websites like your cat photo application, you want users to view the cat photos on your site over the internet.

Create an Internet Gateway

To enable internet connectivity for your VPC, you need to create an internet gateway. Think of this gateway as similar to a modem. Just as a modem connects your computer to the internet, the internet gateway connects your VPC to the internet. Unlike your modem at home, which sometimes goes down or offline, an internet gateway is highly available and scalable. 

After you create an internet gateway, you then need to attach it to your VPC. But that doesn’t mean all of the resources inside your VPC have internet access right away. The VPC doesn’t know how to send traffic to the internet gateway. 

Remember the route tables for your VPC and subnets determine how your VPC sends traffic. That means you have to configure the route table of the subnet the cat photo application resides in to send traffic to the internet gateway.  

A route table that allows local traffic and traffic to and from the internet gateway 0.0.0.0/0, target starting with igw-A subnet with a route to an internet gateway is referred to as a public subnet and this route table is referred to as a public route table. This configuration connects your subnet to the internet through the internet gateway (target starting with igw-). However, it also exposes your EC2 instances to the internet, which may lead to security vulnerabilities.

This configuration makes it easy for you to receive and send communication. However, it also means that you can potentially get unwanted communication from unknown senders.

A public route table associated to a public subnet. An internet gateway attached to the VPC. Traffic can flow from the EC2 instance to the internet gateway.

Understand NAT Gateways

You may have private resources, such as a database, that you don’t want users from the internet to access. However, you may need those private resources to have outbound communication to the internet to perform actions such as pulling down patches from the internet.

How do you securely give outbound access to the internet, without allowing internet users to initiate contact in return?

You need a network address translation (NAT) gateway. NAT gateways reside in public subnets. Once you create a NAT gateway, you can configure your resources inside your subnet to use it by adding a route to the route table.
Example of a route table that allows local traffic and traffic to and from the NAT gateway, with a target starting with nat-Notice that this configuration doesn’t include the internet gateway (target starting with igw-). Instead, it allows resources to route traffic to the NAT gateway (target starting with nat-). This lack of direct contact to the internet is why this configuration is typically referred to as a private route table. It’s also what drives the name for a private subnet, which is a subnet that is associated with a private route table.

Put It All Together

VPC with two public and two private subnets. A public route table is associated with the public subnets and a private route table is associated with the private subnets. There is also an internet gateway and a NAT gateway.

In this configuration, the resources you want to be exposed to the internet have routes either directly to the internet gateway or the NAT gateway. This association of your route tables determine if a subnet is public or private. Notice that for the NAT gateway to be able to talk to the internet, the gateway is deployed in the public subnet that has a route to the internet gateway. 

Wrap Up

To recap, you have learned how to use three route table configurations. 

  • The default route table that is created when you create your VPC that allows for local traffic.
  • A public route table that allows for connectivity from your resources to the internet, and vice versa using an internet gateway.
  • A private route table only allows for connectivity from your resources to the internet, but does not allow the internet to connect to your resources, using a NAT gateway.

In the next unit, you learn how to secure your network and the resources inside of your network–like your cat photo application!

Resources