Why can't I access the internet from my private subnet on an AWS VPC?

1.9k views Asked by At

I used the VPC setup wizard to create a type #2 VPC (public and private subnet). I create a jump box in public and a server in the private subnet. I can SSH into the jump box and from there into the server running on the private subnet. However once I'm on server on the private subnet, I can't get to the internet or run yum. What am I missing? Everything I'm reading says I should be done and able to start accessing the internet from the private subnet without doing anything special to routing tables.

2

There are 2 answers

1
E.J. Brennan On BEST ANSWER

There could be a lot of reasons, because of various configuration errors, but most common problem is when you neglect to an an internet gateway to your VPC.

By default, instances that you launch into a virtual private cloud (VPC) can't communicate with the Internet. You can enable access to the Internet from your VPC by attaching an Internet gateway to the VPC, ensuring that your instances have a public IP address, creating a custom route table, and updating your security group rules.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html

0
Paul J On

Did you perhaps create a new Security Group for the "private server" during launch?

If so, you would have found that, by default, the Security Group for your NAT EC2 instance (created by the Wizard) wouldn't have allowed traffic from the "private server security group" (initially, the NAT instance Security Group only allows inbound traffic from the NAT instance Security Group).

To allow the "private server" to access the internet, one would need to explicitly add the "private server security group" to the NAT Instance Security Group's Inbound rules.

For example:

Private Server 1 EC2 Instance

  • VPC = "MyVPCID"
  • Security Group = "private server security group"

NAT EC2 Instance

  • VPC = "MyVPCID"
  • Security Group = "default"
    • Inbound: All from "default" <-- there by default
    • Inbound: All from "private server security group" <-- add this rule

You should of course also make sure that you have:

  • an internet gateway in the route table used by the subnet used by the NAT instance (should have been created by the Wizard)
  • a route to the NAT instance in the route table used by the subnet used by the "private server" (should have been created by the Wizard)