I want to patch my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance that's hosted in a private subnet or network.
Resolution
There are two options that you can use to patch a Linux instance that's hosted in a private network:
- Use a NAT gateway to allow instances to reach repositories.
- Create Amazon Simple Storage Service (Amazon S3) buckets.
Use a NAT gateway to allow instances to reach repositories
To create a NAT gateway for your environment, complete the following steps:
- Open the AWS Management Console, and then go to your virtual private cloud (VPC).
- Choose NAT Gateways, and then choose Create NAT Gateway.
- (Optional) Enter a name for the NAT gateway.
- For Subnet, make sure to select a public subnet that can reach the internet in the VPC that has your private network instance.
- For Connectivity Type, choose Public to make sure that your gateway can reach the internet.
- For Elastic IP allocation ID, allocate an Elastic IP address to assign to the NAT gateway. Use an existing Elastic IP address, or choose Allocate Elastic IP to create a new one.
- Choose Create NAT Gateway.
To update your VPC route tables, complete the following steps:
-
Configure your virtual private cloud (VPC) environment with the correct route to allow traffic.
-
Verify that the routes in the private subnet include a route for all connections to target the NAT gateway with a destination of 0.0.0.0/0, and a target of nat-gateway-id.
-
The following routes are an example of the NAT gateway routing, based on these instructions:
Private subnet:
Destination (VPC CIDR), Target (local)
Destination (0.0.0.0/0), Target (nat-gateway-id)
The NAT gateway use cases - Routing documentation has additional examples for the subnets.
To connect to the instance and update the packages, complete the following steps:
-
Use SSH, Session Manager, a capability of AWS Systems Manager, or use EC2 Instance Connect Endpoint to connect to your instance in the private network.
-
To update the packages on your instance, run the following commands:
Ubuntu or Debian
sudo apt-get update
sudo apt-get upgrade
Amazon Linux, RedHat, or CentOS
sudo yum update
-or-
sudo dnf update
SUSE Linux
sudo zypper refresh
sudo zypper update
Create S3 bucket endpoints
Note: This option only applies to Amazon Linux distributions.
Amazon Simple Storage Service (Amazon S3) gateway endpoints don't require an internet gateway or NAT device for your VPC. The S3 gateway endpoints allow you to access Amazon S3 from your VPC at no additional cost. To patch the instance without internet access, create an S3 bucket and configure the Linux instance to access the updates from the private S3 bucket.
For instructions on how to set up S3 gateway endpoints for Amazon Linux packages, see How can I update yum or install packages without internet access on my EC2 instances running Amazon Linux 1, Amazon Linux 2, or Amazon Linux 2023?
Related information
EC2 instance cannot use yum inside private subnet on the Stack Overflow website
How to use PuTTY for forwarding keys on the Stack Exchange website
Manage package and operating system updates in AL2023
Kernel Live Patching on AL2023