Configuration of NAT Instance

You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.

NAT Instance Configuration

  • Once Login to the console, go to VPC

  • Create VPC (virtual private cloud, it’s an isolated network)

(Click on your VPC— give a name—give IPv4 CIDR—-click on Create)

  • Create subnet( Create small network under big network(VPC))

(Subnet name—select VPC— give IPv4—click on create)

Here I given name called public subnet

Public Subnet:- The subnet which associated to an internet gateway

  • Create one more subnet

(Subnet name—select VPC— give IPv4—click on create)

Here I given name called private subnet

Private Subnet:- The subnet which is not associated to an internet gateway

  • Create Internet Gateway

(It allows communication between instances in your VPC and the Internet)

(Go to Internet Gateway—give a name—then select Internet Gateway—Action—Attach to VPC)

  • Add Internet Gateway to route Table, here I am adding Internet gateway to the main route table.

(Main route table —routes—edit—add)

launching Nat Instance

  • Go to ec2 Console

  • Click on Instance, launch instance

Go to AMI, select Community AMI, Select “AMAZON-ami-VPC-NAT-HVM”

Under respective VPC with Enabled Public IP

Launch Instance with a default setting.

  • Select Nat Instance Detach Source and destination check



  • Create Custom route table

(Route Table—Create Route table—give a name— select vpc—click on Create)

  • ADD Nat Instance ID to Custom Route table


And Associate Private Subnet to this route table

To test NAT Instance

Create 2 instances one with public IP in Public Subnet and One more under private subnet with private IP

(Public IP Instance can connect directly because it connected to IGW and assigned public IP, Private IP instance We can’t connect directly, take remote from public IP Instance)

Private IP Instance machine Connected and machine getting Internet, this machine getting internet from NAT Instance.

Use Tracert command, it will show from where instance getting Internet.


  1. Are A and S on different IP subnets? Does S have a second IP on the SAME subnet as A? Any ASA or other firewalls between the two? If so this is expected behavior.

    • If your question about the instance on the same subnet, then assign NAT instance private IP at gateway and pre-dns place on other instance.

Leave a reply

Your email address will not be published. Required fields are marked *