I followed this one guide to build a working NAT instance:
https://docs.aws.amazon.com/vpc/latest/userguide/work-with-nat-instances.html
Issues Encountered:
Issue #1: My private EC2’s could ping out to the internet, but they were unable to download any packages from the online RHEL repositories.
Fix #1: This was a security group issue. My NAT instance security group needs to have the following to allow HTTPS downloads from the online repositories:
- Inbound rule must allow HTTPS to from the EC2 private subnet
- Outbound rule must allow HTTPS to anywhere (towards the Internet Gateway of the public subnet)
Notes:
Disable source/destination checks on the NAT instance
“iptables” package is used on the NAT instance to allow port forwarding
A route entry must be added to the private subnet Route Table. When destination is Anywhere – 0.0.0.0/0, it is routed directly to the public Elastic Network Interface of the NAT Instance.