Directing Traffic: Subnets, Routing, Internet Gateway, and NAT Gateway in VPC

Welcome back to Module 13: Networking and Content Delivery! In the previous lesson, we laid the foundation of Amazon VPC, understanding it as your private, isolated network in the AWS cloud. Now, we'll build upon that foundation by diving into the core components that govern traffic flow within your VPC and enable controlled internet access: subnets, route tables, the Internet Gateway (IGW), and the NAT Gateway (NAT GW). A solid understanding of these elements is absolutely crucial for the AWS Certified Cloud Practitioner exam, as they dictate how your applications communicate, both internally and with the outside world.

This lesson will extensively cover these fundamental VPC networking concepts. We'll explain the purpose of subnets in segmenting your network, how route tables direct traffic, and the critical roles of the Internet Gateway for public internet access and the NAT Gateway for secure outbound internet access from private subnets. We will include a detailed Mermaid diagram illustrating the traffic flow through IGW and NAT Gateway, providing a clear visual roadmap for designing your VPC.

1. Subnets: Segmenting Your VPC

A subnet is a range of IP addresses in your VPC. When you create a VPC, you specify a CIDR block for it (e.g., 10.0.0.0/16). You then divide this larger CIDR block into smaller CIDR blocks for your subnets (e.g., 10.0.1.0/24, 10.0.2.0/24).

Key Characteristics:

• Availability Zone Scope: A subnet must reside entirely within a single Availability Zone (AZ). It cannot span multiple AZs. This design ensures that resources within a subnet are protected by the isolation of the AZ.
• IP Address Allocation: Each subnet has a reserved IP address range. AWS reserves the first four and the last IP address in every subnet CIDR block for internal networking purposes.
• Purpose: Subnets allow you to logically segment your VPC for security, operational, and architectural reasons. You can place different types of resources (e.g., web servers, application servers, databases) into different subnets.

Public vs. Private Subnets:

• Public Subnet: A subnet is considered "public" if its route table has a direct route to an Internet Gateway (IGW). Resources in a public subnet can directly communicate with the internet.
• Private Subnet: A subnet is considered "private" if its route table does NOT have a direct route to an IGW. Resources in a private subnet cannot directly communicate with the internet. This is ideal for sensitive resources like databases or internal application servers.

2. Route Tables: The Traffic Director

A route table contains a set of rules, called routes, that determine where network traffic from your subnets is directed. Each route specifies a destination CIDR block and a target (e.g., Internet Gateway, NAT Gateway, another EC2 instance).

Key Concepts:

• Main Route Table: Every VPC has a main route table by default.
• Custom Route Tables: You can create custom route tables and associate them with specific subnets.
• Local Route: Every route table automatically contains a "local" route that enables communication within the VPC's CIDR block.
• Default Route: A common route is 0.0.0.0/0, which represents "all internet traffic." The target for this route determines if a subnet is public or private.

Example Route Table Entries:

Destination	Target	Description
10.0.0.0/16	Local	Allows communication within the VPC (default)
0.0.0.0/0	igw-xxxxxxxxxxxxxxxxx (IGW ID)	Directs all internet-bound traffic to the IGW (Public Subnet)
0.0.0.0/0	nat-xxxxxxxxxxxxxxxxx (NAT GW ID)	Directs all internet-bound traffic to the NAT GW (Private Subnet for outbound)

3. Internet Gateway (IGW): Your Gateway to the Internet

An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.

Key Purpose:

• Enables Public Connectivity: For a subnet to be public, its route table must contain a route to an attached IGW for internet-bound traffic.
• Provides NAT for Public IPs: For EC2 instances with public IP addresses (either EIPs or automatically assigned public IPs), the IGW performs a one-to-one Network Address Translation (NAT), translating private IP addresses to public IP addresses and vice-versa.

Important:

• An IGW must be attached to your VPC to enable internet connectivity.
• You can only have one IGW attached to a VPC at a time.

4. NAT Gateway (NAT GW): Secure Outbound Internet from Private Subnets

A NAT Gateway (NAT GW) is a highly available, managed AWS service that enables instances in a private subnet to connect to the internet or other AWS services (e.g., S3, DynamoDB) outside the VPC, but prevents the internet from initiating a connection with those instances.

Key Purpose:

• Outbound Internet for Private Subnets: Allows resources in private subnets (e.g., application servers, databases) to securely initiate outbound connections to the internet (e.g., for software updates, third-party API calls) without exposing them directly.
• No Inbound Connections: Prevents unsolicited inbound connections from the internet to instances in private subnets.
• High Availability: NAT Gateways are highly available and resilient within an Availability Zone. For cross-AZ resilience, you should deploy a NAT Gateway in each AZ where you have private subnets that need outbound internet access.

How NAT Gateway Works:

1. A resource in a private subnet sends outbound internet traffic.
2. The private subnet's route table is configured to send 0.0.0.0/0 traffic to the NAT Gateway.
3. The NAT Gateway resides in a public subnet and has an associated Elastic IP address.
4. The NAT Gateway performs Network Address Translation, rewriting the private IP of the instance to its own public Elastic IP, and sends the traffic to the Internet Gateway.
5. Response traffic from the internet is routed back to the NAT Gateway, which translates the public IP back to the private IP and forwards it to the instance.

Exam Tip: Remember this crucial distinction:

• IGW: For inbound and outbound internet access to public subnets.
• NAT Gateway: For outbound only internet access from private subnets.

5. Visualizing Traffic Flow: IGW and NAT Gateway

This diagram illustrates how traffic flows through both an Internet Gateway and a NAT Gateway in a typical VPC architecture with public and private subnets.

graph TD
    UserClient[Internet User] --> Internet[Public Internet]

    subgraph "AWS Region"
        subgraph "MyVPC (10.0.0.0/16)"
            RouterVPC[VPC Router]

            subgraph "Public Subnet (10.0.1.0/24)"
                IGW[Internet Gateway]
                NATGW[NAT Gateway]
                WebSrv[EC2 Web Server]
            end

            subgraph "Private Subnet (10.0.2.0/24)"
                AppSrv[EC2 App Server]
                Database[RDS Database]
            end
        end
    end

    Internet -- Ingress --> IGW
    IGW --> RouterVPC
    RouterVPC -- "Route Table Public Subnet" --> WebSrv
    WebSrv -- HTTP/HTTPS --> Internet
    WebSrv -- App Traffic --> AppSrv

    AppSrv -- DB Traffic --> Database
    AppSrv -- Outbound Internet --> RouterVPC
    RouterVPC -- "Route Table Private Subnet" --> NATGW
    NATGW --> Internet
    Internet -- Egress Response --> NATGW
    NATGW --> RouterVPC

Explanation:

1. Incoming Public Traffic: Internet User -> Internet -> IGW -> VPC Router -> Public Subnet (Web Server).
2. Outbound Public Traffic (from Web Server): Web Server -> Public Subnet -> VPC Router -> IGW -> Internet.
3. Internal Traffic (Web to App): Web Server -> Public Subnet -> VPC Router -> Private Subnet (App Server).
4. Outbound Internet from Private Subnet (e.g., App Server update): App Server -> Private Subnet -> VPC Router -> NAT Gateway -> Public Subnet -> VPC Router -> IGW -> Internet.
5. Private Traffic (App to DB): App Server -> Private Subnet -> VPC Router -> Private Subnet (Database).

6. Practical Example: Listing Route Tables and Their Routes (AWS CLI)

You can use the AWS CLI to inspect the route tables associated with your VPC and subnets.

# 1. Get the ID of your default VPC (or a specific VPC)
VPC_ID=$(aws ec2 describe-vpcs --filters "Name=is-default,Values=true" --query 'Vpcs[0].VpcId' --output text)
echo "Default VPC ID: $VPC_ID"

# 2. Describe route tables in that VPC
aws ec2 describe-route-tables \
    --filters "Name=vpc-id,Values=$VPC_ID" \
    --query 'RouteTables[].{RouteTableId:RouteTableId,Routes:Routes,Associations:Associations[].SubnetId}' \
    --output json

Explanation:

• aws ec2 describe-route-tables: Retrieves information about your route tables.
• --filters "Name=vpc-id,Values=$VPC_ID": Filters the route tables by your VPC ID.
• --query 'RouteTables[].{...}' --output json: Formats the output to show the RouteTableId, its Routes (destination and target), and Associations (which subnets are linked).

By examining the Routes section, you can determine if a route to an igw- (Internet Gateway) or nat- (NAT Gateway) exists for 0.0.0.0/0 (all internet traffic), thus identifying public vs. private subnets and their internet access configuration.

Conclusion: Orchestrating Your Network Traffic

Subnets, route tables, Internet Gateways, and NAT Gateways are the fundamental building blocks for controlling traffic flow and defining internet access within your Amazon VPC. Mastering these components is essential for the AWS Certified Cloud Practitioner exam, enabling you to design secure, isolated, and highly functional network environments in AWS. By effectively using these services, you can ensure your applications have the necessary connectivity while maintaining strict control over exposure to the public internet, safeguarding your sensitive resources.

---

Knowledge Check