Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
Why can't I use a NAT gateway to access the internet from my Amazon EC2 instances?
I want to troubleshoot issues that I receive when I use a NAT gateway to access the internet from my Amazon Elastic Compute Cloud (Amazon EC2) instances.
Resolution
Internet connectivity issues with NAT gateways can occur because of subnet configuration issues or missing routes.
Use Reachability Analyzer to check your connectivity
To check whether a route is reachable, use Reachability Analyzer.
First, create and analyze a path. For Source Type choose Instances, and then select your instance. For Destination type, choose Internet Gateways, and then select the gateway that you want to pass through as your destination. Then, view the results to identify whether the path is reachable. If it's unreachable, then analyze the path and update your configuration as needed.
Verify your subnet configurations
Confirm that your route tables have the following configurations:
- The NAT gateway is in a public subnet with a route table that routes internet traffic to an internet gateway.
- Your instance is in a private subnet with a route table that routes internet traffic to the NAT gateway.
- There are no other route table entries that route all or part of the internet traffic to another device instead of the NAT gateway.
Make sure that the associated security groups and network access control lists (ACLs) for your source instance allow outbound traffic. The subnet where you launch the NAT gateway must have an associated network ACL that allows inbound traffic from the instances and the internet hosts. The network ACL must also allow outbound traffic to the internet hosts and the instances.
Check that the NAT gateway is in the Available state. To view your NAT gateway status, open the Amazon Virtual Private Cloud (Amazon VPC) console. Navigate to the NAT gateways page, and then view the status information in the details pane. If the NAT gateway is in a failed state, then an error might have occurred during NAT gateway creation. For more information, see NAT gateway creation fails.
To help you diagnose dropped connections because of network ACL or security group rules, turn on VPC Flow Logs.
If you use the ping command, then make sure that you ping a host that has Internet Control Message Protocol (ICMP) activated. If the host doesn't have ICMP activated, then you won't receive reply packets. To test whether the host has ICMP activated, run the same ping command from the command line terminal on your computer.
Check that your instance can ping other resources, such as other instances in the private subnet.
Note: Make sure that your security group rules allow you to ping other resources.
Check that your connection only uses a TCP, UDP, or ICMP protocol.
To allow your instances to access an HTTPS website, the network ACL that you associate with the NAT gateway subnet must have the following rules.
Inbound rules:
| Source | Protocol | Port range | Allow/Deny |
|---|---|---|---|
| VPC CIDR | TCP | 443 | ALLOW |
| Internet IP | TCP | 1024-65535 | ALLOW |
Outbound rules:
| Destination | Protocol | Port range | Allow/Deny |
|---|---|---|---|
| Internet IP | TCP | 443 | ALLOW |
| VPC CIDR | TCP | 1024-65535 | ALLOW |
- Tags
- Amazon VPC
- Language
- English
Relevant content
- asked a year ago
