Accessing the Internet: Gateways and Route Tables

In the last lesson, we set up four subnets in two availability zones—two of them being private and two of them public. But what makes them public and private?

Resources in public subnets are reachable from the internet, while resources in private subnets are not. If we create a new VPC or subnet, it will be private. Any resource within the VPC or subnet will also not be able to reach the internet.

To give these resources access to the internet, we need a gateway. This is where internet gateways and NAT gateways come into play. Both of them give our instances access to the internet, but only one of them (the internet gateway) allows access from the outside to our resources.

Internet gateways (IGWs)

An internet gateway (IGW) allows our VPC resources like EC2 instances to reach the internet and be reached from the internet.

An internet gateway is always created per VPC and manages the NAT between public IP addresses (reachable from the internet) and private IP addresses within our VPC. If we allocate a public IP address to an EC2 instance within our VPC, the internet gateway will make sure that traffic for this public IP address will reach the correct EC2 instance within the VPC. We call this inbound traffic.

It also enables outbound traffic to the internet from within our VPC, so if our EC2 instance wants to download a software update from the internet, it will create an outbound request to the update server. Again, the internet gateway will make sure that this request from our EC2 instance can reach the update server on the internet.

NAT gateways

A NAT gateway is very similar to an internet gateway, but we could consider a NAT gateway a one-way street while an internet gateway is a two-way street.

A NAT gateway is a gateway that only allows outbound traffic. It normally only has one public IP that is used for all outbound traffic.

Our resources behind the NAT gateway can reach the internet, but the internet cannot reach them. By the way, this is exactly what your router at home does for your home network.

Note: Because we will be using AWS managed services in our private networks, we don’t need to provide internet access to the private subnets. We therefore don’t need to set up NAT gateways. They are also not included in the AWS free tier and are quite expensive (around $35 per month).

Route tables

To get outbound internet access working, an internet gateway or NAT gateway alone is not sufficient. We also need to create a route in the route table of each subnet we want to give outbound internet access to.

A route table is conceptually very simple: it’s just a table of destinations (IP ranges written as CIDRs) and targets (through which network node these CIDRs are reachable).

The first entry of a route table is usually describing how to find local resources, e.g., everything within the subnet. It’s just the CIDR of our subnet pointing at local.

For example, for our subnet subnet-public-a (which has the CIDR 10.0.0.0/24), it would look like this:

destination	target
10.0.0.0/24	local

To enable internet access, we need to create an entry in the route table where one can “find” the internet. The target therefore needs to be the internet gateway (or NAT gateway).

But which CIDR should we assign to the internet? The answer is simply all IP addresses, 0.0.0.0/0. Because a route table is processed from top to bottom, the first matching entry will be used. In this case, we can use 0.0.0.0/0 without any problems for the whole internet because the first entry (10.0.0.0/24) already filters out local traffic.

So, the complete route table for subnet-public-a would look like this:

destination	target
10.0.0.0/24	local
0.0.0.0/0	igw-id

For now, igw-id is a placeholder because we haven’t created an internet gateway yet. So let’s do that now!