How to access ec2 instance residing in private subnet

• Create a VPC
• It will by default create router,securty groups ,NACLS, route tables
• Create an internet gateway (IG) and associate it with main RT
• Create 2 subnet in the VPC
• One public subnet, one private subnet
• Create one route table , which allow traffic from internet(0.0.0.0/0) to Come to RT and associate the Internet gateway
• Now associate the public subnet you have created with the above route table
• Create one security group for public subnet and allow icmp,http,ssh,https stateful traffic

At this point, if you launch a instance in public subnet of the custom VPC ,you will be able to ssh and run a yum update using IG .

Using username "ec2-user".
Authenticating with public key "imported-openssh-key"

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
3 package(s) needed for security, out of 24 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-10-0-1-21 ~]$ sudo su -
[root@ip-10-0-1-21 ~]#
[root@ip-10-0-1-21 ~]#
[root@ip-10-0-1-21 ~]#
[root@ip-10-0-1-21 ~]# hostname
ip-10-0-1-21.us-east-2.compute.internal

10-0-1-21 is my instance in public subnet.
To check if the internet is working try running yum update to make sure updates from internet is coming 

[root@ip-10-0-1-21 ~]# yum update -y


Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Resolving Dependencies
--> Running transaction check
---> Package awscli.noarch 0:1.16.102-1.amzn2.0.1 will be updated
---> Package awscli.noarch 0:1.16.300-1.amzn2.0.1 will be an update
---> Package ca-certificates.noarch 0:2018.2.22-70.0.amzn2.0.1 will be updated
---> Package ca-certificates.noarch 0:2019.2.32-76.amzn2.0.1 will be an update
---> Package cloud-init.noarch 0:18.5-2.amzn2 will be updated
---> Package cloud-init.noarch 0:19.3-2.amzn2 will be an update
---> Package ec2-net-utils.noarch 0:1.1-1.1.amzn2 will be updated
---> Package tcpdump.x86_64 14:4.9.2-4.amzn2.1 will be an update
--> Finished Dependency Resolution
Install   1 Package
Upgrade  23 Packages

Total download size: 52 M
Downloading packages:
Complete!

So far so good!!!

Try to ping the instance in private subnet(10.0.2.21) from instances in public subnet( 10-0-1-21) to check if you are able to connect to instances in private .

[root@ip-10-0-1-21 ~]# ping 10.0.2.21
PING 10.0.2.21 (10.0.2.21) 56(84) bytes of data.
^C
--- 10.0.2.21 ping statistics ---
0 packets transmitted, 0 received, 100% packet loss, time 4004ms

If you are not creating another route table in your private or any other subnet, the subnet by default associate with the main RT(always keep main RT as pvt).

Create a security group for private subnet as well and allow traffic only from the pubic subnet CIDR .
For ping enable icmp for ssh allow port 80tcp in security group.

After enabling the security group try again ,

[root@ip-10-0-1-21 ~]# ping 10.0.2.21
PING 10.0.2.21 (10.0.2.21) 56(84) bytes of data.
64 bytes from 10.0.2.21: icmp_seq=1 ttl=255 time=1.00 ms
64 bytes from 10.0.2.21: icmp_seq=2 ttl=255 time=8.89 ms
^C
--- 10.0.2.21 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4004ms

The ping is working now , now check if we can access the internet from instances in private subnet .

Once you ssh into private instance , try running yum update it will fail for sure.

[root@ip-10-0-1-21 ~]# ssh ec2-user@10.0.2.21 -i parwez_vpc.pem
Last login: Fri Jan 24 20:12:27 2020 from 10.0.1.21

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/

[root@ip-10-0-2-21 ~]# yum update -y
^C

Yum was hanging for long..implying the internet access is not working yet

For pvt instance to access internet , create a NAT gateway in public subnet and associate the NAT gateway with main route table.

“NAT Gateway, also known as Network Address Translation Gateway, is used to enable instances present in a private subnet to help connect to the internet or AWS services. In addition to this, the gateway makes sure that the internet doesn’t initiate a connection with the instances. “

I have created a NAT gateway and associated with the main RT , now will check if we can download stuff(inbound internet access)

[root@ip-10-0-2-21 ~]# yum update -y
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                                                                                                                       | 2.4 kB  00:00:00
amzn2extra-docker                                                                                                                                | 1.3 kB  00:00:00
(1/4): amzn2-core/2/x86_64/group_gz                                                                                                              | 2.5 kB  00:00:00
(2/4): amzn2-core/2/x86_64/updateinfo                                                                                                            | 184 kB  00:00:00
(3/4): amzn2extra-docker/2/x86_64/primary_db                                                                                                     |  59 kB  00:00:00
(4/4): amzn2-core/2/x86_64/primary_db                                                                                                            |  36 MB  00:00:00
Resolving Dependencies
--> Running transaction check
---> Package awscli.noarch 0:1.16.102-1.amzn2.0.1 will be updated
---> Package awscli.noarch 0:1.16.300-1.amzn2.0.1 will be an update
---> Package ca-certificates.noarch 0:2018.2.22-70.0.amzn2.0.1 will be updated
---> Package ca-certificates.noarch 0:2019.2.32-76.amzn2.0.1 will be an update
---> Package cloud-init.noarch 0:18.5-2.amzn2 will be updated
---> Package cloud-init.noarch 0:19.3-2.amzn2 will be an update

Its working and we can download from update from our ec2 instnace running in pvt subnet

 501 total views,  1 views today