1
00:00:00,200 --> 00:00:01,033
So let's go

2
00:00:01,033 --> 00:00:03,770
and create a NAT instance to give internet access

3
00:00:03,770 --> 00:00:05,660
to our private subnets.

4
00:00:05,660 --> 00:00:07,000
So I click on Launch instance

5
00:00:07,000 --> 00:00:09,850
and I'm going to type NAT instance,

6
00:00:09,850 --> 00:00:11,110
and now we need to find

7
00:00:11,110 --> 00:00:14,230
the Amazon image that is for NAT instance.

8
00:00:14,230 --> 00:00:18,740
So to do so I'm going to browse more AMI's right here

9
00:00:18,740 --> 00:00:20,830
and then I need to enter a search term

10
00:00:20,830 --> 00:00:23,163
such as NAT, N-A-T,

11
00:00:24,540 --> 00:00:26,123
and then press enter.

12
00:00:27,250 --> 00:00:28,440
And as we can see

13
00:00:28,440 --> 00:00:32,162
there are 40 some results in the community AMI.

14
00:00:32,162 --> 00:00:33,560
So I click on community AMI

15
00:00:34,450 --> 00:00:38,920
and now I can see that we have some NAT instances from AWS.

16
00:00:38,920 --> 00:00:43,263
So you can find one of these as long as it says, X 86 64.

17
00:00:44,640 --> 00:00:46,380
And you can look at the published date to try to

18
00:00:46,380 --> 00:00:48,420
find a newer kind of instance.

19
00:00:48,420 --> 00:00:52,660
So I can find this one published date of 2022,

20
00:00:52,660 --> 00:00:55,910
as long as it says Amazon AMI VPC NAT 2018,

21
00:00:55,910 --> 00:00:56,960
something like this

22
00:00:56,960 --> 00:00:58,070
then you're good to go.

23
00:00:58,070 --> 00:01:00,990
Of Architecture X 86 64.

24
00:01:00,990 --> 00:01:02,703
Okay, so let's choose this one.

25
00:01:03,950 --> 00:01:05,319
Looks recent enough.

26
00:01:05,319 --> 00:01:08,020
But you know, whatever you choose really is good enough

27
00:01:08,020 --> 00:01:09,990
NAT instances are somewhat deprecated.

28
00:01:09,990 --> 00:01:12,069
We'll see by what's next.

29
00:01:12,069 --> 00:01:13,460
So don't worry too much about this, but here we go.

30
00:01:13,460 --> 00:01:16,930
I'm using my community AMI from AWS to deploy a

31
00:01:16,930 --> 00:01:18,700
NAT instance.

32
00:01:18,700 --> 00:01:20,540
I use a T2 micro.

33
00:01:20,540 --> 00:01:23,910
For Key pair I will just use a demo key pair.

34
00:01:23,910 --> 00:01:26,850
And then for network settings, we're going to add, edit this

35
00:01:26,850 --> 00:01:29,610
and we're going to create a new security group.

36
00:01:29,610 --> 00:01:32,950
So rules wise, we're going to create a few things.

37
00:01:32,950 --> 00:01:35,590
So SSH from anywhere, yes.

38
00:01:35,590 --> 00:01:37,270
Then we have to add more rules.

39
00:01:37,270 --> 00:01:39,350
So HTTP,

40
00:01:39,350 --> 00:01:41,400
and then the source is a CIDR

41
00:01:41,400 --> 00:01:43,840
and the CIDR block is the same as our VPC.

42
00:01:43,840 --> 00:01:47,640
So 10 0 0 0 slash 16.

43
00:01:47,640 --> 00:01:50,940
And then we're going to do the same, but for HTTPS

44
00:01:50,940 --> 00:01:53,420
so to allow HTTPS traffic out as well

45
00:01:53,420 --> 00:01:55,103
from the same CIDR block.

46
00:01:55,950 --> 00:01:58,010
And then the last thing to do is to, of course

47
00:01:58,010 --> 00:02:01,600
edit the VPC setting to be in my demo VPC.

48
00:02:01,600 --> 00:02:04,410
And we deploy this NAT instance in the public subnet

49
00:02:04,410 --> 00:02:06,870
for example, public subnet A.

50
00:02:06,870 --> 00:02:08,389
So we have to redo this.

51
00:02:08,389 --> 00:02:11,380
So NAT instance, SG is the name of the security group.

52
00:02:11,380 --> 00:02:12,650
And actually my roles are kept.

53
00:02:12,650 --> 00:02:16,030
So make sure to name it, NAT instance SG.

54
00:02:16,030 --> 00:02:17,230
Okay, so we are good to go.

55
00:02:17,230 --> 00:02:19,430
Now let's go ahead and launch that instance.

56
00:02:23,770 --> 00:02:24,603
And we're done.

57
00:02:26,233 --> 00:02:28,580
And what we want to do is to have the private instance

58
00:02:28,580 --> 00:02:32,740
send internet traffic out through the NAT instance.

59
00:02:32,740 --> 00:02:34,920
Okay, so now that my NAT instance is created

60
00:02:34,920 --> 00:02:37,594
what I need to do is to edit a networking setting

61
00:02:37,594 --> 00:02:40,050
called the source destination check.

62
00:02:40,050 --> 00:02:42,268
So I need to stop this, okay.

63
00:02:42,268 --> 00:02:44,520
And this is because if this is NAT instance

64
00:02:44,520 --> 00:02:46,810
you must stop the source destination checking

65
00:02:46,810 --> 00:02:48,870
because the NAT instance must be able to receive

66
00:02:48,870 --> 00:02:50,500
and send traffic when the source

67
00:02:50,500 --> 00:02:52,520
or destination is not itself.

68
00:02:52,520 --> 00:02:53,780
So this is very important.

69
00:02:53,780 --> 00:02:56,580
We click on save and somehow it was somewhat knew

70
00:02:56,580 --> 00:02:58,560
that we're gonna use this for NAT instances.

71
00:02:58,560 --> 00:02:59,960
So this is really good.

72
00:02:59,960 --> 00:03:02,730
And next, what we have to do is to send some traffic

73
00:03:02,730 --> 00:03:04,820
to the NAT instance.

74
00:03:04,820 --> 00:03:07,050
So first let's verify right now.

75
00:03:07,050 --> 00:03:11,080
So I'm going to re SSH into my private instance

76
00:03:11,080 --> 00:03:13,620
so to do so I have to go through the Bastion Host.

77
00:03:13,620 --> 00:03:16,160
So I will use EC 2 instance connect.

78
00:03:16,160 --> 00:03:19,330
Great. I'm connected into Bastion Host

79
00:03:19,330 --> 00:03:21,080
and then I will use the SSH command.

80
00:03:21,080 --> 00:03:25,450
So EC2 user @, and then I need to have the private IP

81
00:03:25,450 --> 00:03:26,740
of my private instance in here.

82
00:03:26,740 --> 00:03:30,410
So I will copy this and I will paste it

83
00:03:30,410 --> 00:03:32,600
minus I demo keypair.PEM.

84
00:03:32,600 --> 00:03:34,110
Okay, so I am in my private instance.

85
00:03:34,110 --> 00:03:36,920
And again, remember if we did PING Google.com

86
00:03:36,920 --> 00:03:37,780
we're not getting any reply.

87
00:03:37,780 --> 00:03:39,570
So this doesn't have internet access.

88
00:03:39,570 --> 00:03:42,080
Now let's give internet access to the private subnets.

89
00:03:42,080 --> 00:03:46,090
And to do so in my private route table, on the routes

90
00:03:46,090 --> 00:03:47,410
we need to edit the route.

91
00:03:47,410 --> 00:03:48,850
So let's edit them.

92
00:03:48,850 --> 00:03:51,660
And currently we have this one for local rules

93
00:03:51,660 --> 00:03:55,130
but we're going to have one that says, if you want to talk

94
00:03:55,130 --> 00:04:00,130
out to the internet, then please go through your instance.

95
00:04:00,147 --> 00:04:04,270
And the instance has to be the NAT instance, save.

96
00:04:04,270 --> 00:04:06,140
And what we've done effectively is saying, 'Hey

97
00:04:06,140 --> 00:04:10,100
for any EC 2 instance within this subnets

98
00:04:10,100 --> 00:04:11,690
because it's associated with this route table

99
00:04:11,690 --> 00:04:13,870
if you send traffic to the internet

100
00:04:13,870 --> 00:04:17,209
so anywhere then go through my EC 2 instance

101
00:04:17,209 --> 00:04:20,329
which is exactly what a NAT instance is for.'

102
00:04:20,329 --> 00:04:21,779
So now if we try again

103
00:04:21,779 --> 00:04:25,010
to PING Google.com, this is not working.

104
00:04:25,010 --> 00:04:26,110
And I know why

105
00:04:26,110 --> 00:04:28,840
because we need to also enable one specific port

106
00:04:28,840 --> 00:04:29,673
on the NAT instance.

107
00:04:29,673 --> 00:04:33,050
So let's go to security and the security group rules

108
00:04:33,050 --> 00:04:36,150
and we need to enable a specific port for PING.

109
00:04:36,150 --> 00:04:37,950
So let's edit the inbound rule

110
00:04:37,950 --> 00:04:40,000
and I will add a rule for PING.

111
00:04:40,000 --> 00:04:41,690
So it's ICMP.

112
00:04:41,690 --> 00:04:46,690
So all ICMP, IPV4, from this subnets

113
00:04:46,730 --> 00:04:49,340
from the CIDR that we have right here.

114
00:04:49,340 --> 00:04:53,250
Okay, and then click on save.

115
00:04:53,250 --> 00:04:55,120
Now, if we try again, the PING command.

116
00:04:55,120 --> 00:04:58,080
So let's clear the screen and PING again.

117
00:04:58,080 --> 00:04:59,320
Now we are getting some result back.

118
00:04:59,320 --> 00:05:02,070
So this is working and if we wanted to choose, for example

119
00:05:02,070 --> 00:05:05,570
curl google.com, as we can see, we get some result back.

120
00:05:05,570 --> 00:05:07,360
So this is the HTML page

121
00:05:07,360 --> 00:05:09,410
from Google.com or more, clearly.

122
00:05:09,410 --> 00:05:12,630
If I did curl example.com

123
00:05:12,630 --> 00:05:15,150
this would be a easier page to look at.

124
00:05:15,150 --> 00:05:17,240
Okay, so everything is working.

125
00:05:17,240 --> 00:05:18,930
We have PING working, we have curl working

126
00:05:18,930 --> 00:05:22,620
we have HTTP access, HTTPS access.

127
00:05:22,620 --> 00:05:23,470
We have ICMP.

128
00:05:23,470 --> 00:05:25,310
So this is for PING and so on.

129
00:05:25,310 --> 00:05:26,590
So what we've done effectively is

130
00:05:26,590 --> 00:05:29,450
that we've given internet access to the instances

131
00:05:29,450 --> 00:05:32,670
in my private subnet without exposing them to the internet.

132
00:05:32,670 --> 00:05:35,010
As we can see my private subnet instance still

133
00:05:35,010 --> 00:05:36,440
doesn't have a public IP.

134
00:05:36,440 --> 00:05:38,560
We need to use the, the Bastion okay?

135
00:05:38,560 --> 00:05:41,290
So that's it for this lecture really, really good.

136
00:05:41,290 --> 00:05:44,120
But in the next lecture, we're going to use NAT's gateways

137
00:05:44,120 --> 00:05:45,560
and it's going to be much better.

138
00:05:45,560 --> 00:05:48,300
So what I'm going to do now is go back into my instances.

139
00:05:48,300 --> 00:05:50,190
We don't need that NAT instance anymore

140
00:05:50,190 --> 00:05:52,320
and I'm going to stop it.

141
00:05:52,320 --> 00:05:53,770
Okay, or you can terminate as well.

142
00:05:53,770 --> 00:05:55,530
We will not be using it anyway.

143
00:05:55,530 --> 00:05:57,170
So to say for this lecture, I hope you liked it.

144
00:05:57,170 --> 00:05:59,347
And I will see you in the next lecture.