Network Security: Add Private Subnets with NAT Gateway

Objective#

Make our instances inaccessible from the internet.

Steps#

• Add private subnets with a NAT gateway.
• Switch our ASGs to use the private subnets.

Add private subnets and NAT gateway#

Now, we’re going to add new security groups for our private subnets that allows ports 22 and 8443 only.

Next, we have to change the SecurityGroupIds property inside the InstanceLaunchTemplate resource, so that it refers to PrivateSecurityGroup.GroupId instead of SecurityGroup.GroupId. In this way, new instances automatically become part of our new private security group.

Next, we add a new subnet per availability zone with MapPublicIpOnLaunch set to false, and a CIDR range that doesn’t overlap with any of our other subnets.

Now we must create an Elastic IP address for each NAT gateway.

Next, let’s add the NAT gateways.

Now let’s add route tables to map outgoing internet traffic to the NAT gateways.

Switching our ASG to use private subnets#

Finally, we have to switch the ASG to launch new instances in the private subnets rather than the public. The instances in the public subnets won’t be terminated until the new ones in the private subnets are launched.

Let’s change the VPCZoneIdentifier in ScalingGroup to refer to PrivateSubnetAZ1 and PrivateSubnetAZ2 instead of SubnetAZ1 and SubnetAZ2.

After the new instances have been launched in the new private subnets, and the old ones have been terminated, we can verify that our application is still reachable through the load balancer endpoints.

And now is a good time to push all our changes to GitHub.

Note: All the code has been already added and we are pushing it on our repository as well.

In the next lesson, we will only allow HTTPS port in the public subnets.