VPC creation steps:
create 2 subnets
attch internet gateway to vpc.(create a new internet gateway)
Create a public route table(make main route table as private all the time)(route out to the internet)\
associate subnet with the newly created route table to make it public.
enable “auto assign public ip” for the public subnet.
launch EC2 instances in public subnet and private subnet
copy the myEC2key content and create a new key file on the public subnet ec2 instance
create a NAT instance by selecting from community EMI’s and put it in public subnet
disable source/destination check for the NAT instance.
you need to create a route from private subnet out thru NAT instance to the internet
make changes to the main route table,add other route to the newly created NAT instance
delete NAT instance
create a NAT gateway(always deploy into public subnet)(create an elastic IP to NAT gateway)
with NAT gateways you don’t need to disable source/destination check, dont need to put behind SGs
NAT instance is a single point of failure
if you put the NAT instance behind an auto scaling group, it helps. But NAT gateway is better choice than NAT instances
when you are creating NAT gateway you always need to put it in the public SN and always update route table to point the instances to the NAT gateway
you don’t need to put it behind SG’s and apply security patches
implemented with redundancy
NAT GW supports 10Gbps bandwidth
NAT GW is automatically built in
you can use NACL’S with NAT GW but not SG’s
NAT GW’s are always used in production
Exam Tips: NAT instances
*When creating a NAT instance disable source/destination checks on the instance
* NAT instance must be in the public subnet
* There must be a route out of the Private SN to the NAT instance, in order for this to work.
* when you deploy a NAT you must allocate public IP for it.
* The amount of traffic that NAT instance supports, depends on the instance size. If you are bottlenecking, increase the instance size.
* you can create HA using Autoscaling groups, multiple subnets in different AZ’s and a script to automate failover from one NAT instance to another.
* NAT instances are always behind a security group
Exam Tips:NAT Gateways
* preferred by enterprise
* scale automatically upto 10Gbps
* No need to patch
* Not associated with security groups
* automatically assigned public IP address
* route tables must be updated with NAT gateway
* No need to disable Source/Destination checks