- https://techdifferences.com/difference-between-nat-and-pat.html
- Network Address Translation (NAT) connects two networks and maps the private (inside local) addresses into public addresses (inside global). Here the term inside local signifies that the host address belongs to an internal network and not assigned by Network Information Center or service provider. And the inside global means that the address is a licit address assigned by the NIC or service provider and it also represents one or more inside local addresses to the outside world
- Port Address Translation (PAT) is a type of Dynamic NAT through which address translation can be configured at the port level, and the remaining IP address usage is also optimized. PAT maps multiple source local addresses and ports to a single global IP address and port from a pool of IP addresses that are routable on the destination network. Here the interface IP address is used in combination with the port number and multiple hosts could have same IP address because the port number is unique
NAT Instance
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
- You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the internet.
- This is an actual EC2 instance with NAT Machine Image is loaded in the subnet that has access to the internet public subnet.
- Its function is to enable the private subnet EC2 access to public internet
- To make sure no traffic from internet reaches the private subnet
- NAT instance forwards out traffic it receives from an internal instance – and similarly back.
- Only SSH traffic (or RDP for Windows) is allowed into the NAT instance
- NAT instance need to be assigned a security group:
o Inbound from Private instance or private subnet on port 80 (HTTP) or 443 (HTTPS)
o Outbound to internet (0.0.0.0/0) on port 80 (HTTP) or 443 (HTTPS)
o Inbound from internal n/w on port 22 (SSH) or RDP
- Source/Destination check – no pass-thru traffic is allowed by default, i.e. an EC2 will only accept traffic that is meant for it and will only send out traffic that was originated within it. If you need it to act like a Proxy – such as NAT – need to disable the check. Works with public or Elastic IP. You can disable the SrcDestCheck attribute for a NAT instance that's either running or stopped, not terminated or pending, using the console or the command line.- Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
NAT Gateway
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
- You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances
- AWS hosted NAT service - all functions performed by AWS
- Does not allow for a custom security group – AWS takes care of this. Works with Elastic IP’s for public access only
- In a VPC with a NAT gateway the main route table sends internet traffic from the instances in the private subnet to the NAT gateway. The NAT gateway sends the traffic to the internet gateway using the NAT gateway’s Elastic IP address as the source IP address
- You cannot route traffic to a NAT gateway through
o VPC peering connection
o Site-to-Site VPN connection
o AWS Direct Connect
- A NAT gateway cannot be used by resources on the other side of these connections
No comments:
Post a Comment