Name: Routing Outbound Traffic Through NAT Gateways
Uploaded: 2021-03-22T18:40:29Z
Duration: 384
Description: To enhance your network monitoring strategy, you must ensure outbound traffic is routed through a NAT gateway.

Routing Outbound Traffic Through NAT Gateways

Modifying Route Tables for NAT Gateways

To enhance your network monitoring strategy, you must ensure outbound traffic is routed through a NAT gateway. Just because you create a NAT gateway does not mean that EC2 instances have the ability to run outbound traffic through the Internet. You need to define a route that allows EC2 instances on a private subnet to talk to NAT gateways and then go out to the Internet. This is where route tables comes into play. AWS defines route table for your VPC as, “A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.”

Once you’ve provisioned your NAT gateways in the VPC Dashboard, use the following steps to modify the routes table:

In the VPC Dashboard, open Route Tables.
Select route table associated with NAT gateway and open the Routes tab.
Now, you can select Edit Routes then Add Routes.
Enter 0.0.0.0/0 for the Destination and select a specific NAT gateway as the Target.
Select Save Routes and now you’ve created you’ve created a route for EC2 instances in that Availability Zone to be able to talk out to the Internet.

To learn more, visit the AWS user guide for NAT gateways.

Transcription

Hello, and welcome to today’s demo! Today, we’re going to be talking about EC2 instances that live on private subnets and how they get out to the Internet. If you have EC2 instances that live in a private subnet and you want to have the ability to access the Internet, you have to proxy that traffic through a system that uses NATs to allow them to talk out to the Internet. Previously, there was something called a “NAT instance” that was an actual AMI image that was created by Amazon that customers could provision that will allow for their EC2 instances that are in private subnets to be able to talk to that NAT instance out to the Internet. However, Amazon (as you can see on my screen) has deprecated the use of NAT instances. Now, Amazon recommends that clients use a NAT gateway. The bulk of this video is going to talk about NAT gateways, what they do, and how to provision them.

Let’s start off with what a NAT gateway is. A NAT gateway uses network address translation (NAT) to enable instances in private subnets to connect to the Internet or other AWS services, but it prevents the Internet from initiating a connection with those instances. Basically, it allows the instances to talk out but no Internet-initiated connections can talk in.

Now, let’s talk about some caveats that come with NAT gateways. The first caveat is that NAT gateways do not support IPv6. The second caveat is that NAT gateways are tied to an Availability Zone. What does that mean? If you have a single NAT gateway in an Availability Zone and you have EC2 instances in multiple Availability Zones that are using that NAT gateway and that Availability Zone goes down, those EC2 instances in the other Availability Zones will lose that ability to talk to the Internet. When you’re architecting your NAT Gateway infrastructure, it’s important that for any Availability Zone where you have those EC2 instances in private subnets, you need to have a NAT gateway for that Availability Zone.

Now that we have the basics out of the way, let’s go look at how we provision NAT Gateway and some important pieces of information. Once you log into your AWS Management Console, you’re going to search for “VPC,” then scroll all the way down to the “NAT Gateways.” As you can see, we already have a couple of NAT gateways provisioned, but let’s go through the provisioning steps. You’re going to hit “Create NAT Gateway” and you’re going to give your NAT gateway a specific name. Call it whatever you want, just make sure it’s a unique identifier. The next piece of information is really important. You’re going to select a subnet. As you can see, each subnet is tied to an Availability Zone. You want to be sure, like we said before, that you have a NAT gateway for each Availability Zone. When you’re creating your NAT Gateway infrastructure, pay close attention to what Availability Zone the NAT gateway is being created in. Then, you select the “Elastic IP.” If you have an available Elastic IP that is not being used, you can just select it from the dropdown box. If not, just hit “Allocate Elastic IP” and one will be allocated for you. Then, you’ll add a tag and create your NAT gateway. It will take a few minutes for the NAT gateway to be provisioned, and then you’ll have NAT gateways like you see here.

Now that we have some NAT gateways provisioned, let’s go look at some important information. If you scroll over to the right, we’ll look at a few things. The first thing is the VPC. We know the VPCs that the NAT gateways are associated with. The second thing is the subnet. Let’s talk about why this is important. The subnet is going to define which Availability Zone that NAT gateway is associated with. Let’s look at a couple.

If we go over to “Subnets” and look at our list of subnets, then scroll over to the “Availability Zone” column, we see that each of our subnets is in a different Availability Zone, where we assume our infrastructure is. So, we have that NAT gateway for each Availability Zone as we talked about.

Going back to the “NAT Gateways” tab, let’s look at the “VPC” column. Just because you created the NAT gateway does not mean that the EC2 instances have the ability to talk out to the Internet. The next critical piece is the route table. You have to be able to define a route that allows that EC2 instance on a private subnet to talk to that NAT gateway and then go out to the Internet. So, what you need to do is add the route into the route table and make sure that those instances in those private subnets can get out to the Internet. Let’s go look at the “Route Tables” tab. We have a route table here that’s specifically for the NAT gateway. Select that, then go to “Routes” and “Edit Routes.” Let’s say “0.0.0.0/0” for the destination and select a specific NAT Gateway for the target. When you save your route, you’ve created a route for instances in that Availability Zone to be able to talk out to the Internet.

As we saw, there’s a couple steps when creating those NAT gateways and there’s a couple of pieces of information that you need to make sure you are hitting. Making sure you have a NAT gateway for each Availability Zone is critical, making sure that you have the appropriate routes table and routes created is critical, and making sure that you have the associations correct is critical. Once you have that, you’ll be able to let your EC2 instances on private subnets talk out to the Internet.

Routing Outbound Traffic Through NAT Gateways

Related Videos

10.6.1 – Review Daily All Security Events and Logs of All System Components.mp4

10.6.2 – Review Logs of All Other System Components Based Policies and Risk Management Strategy

10.6.3 –Follow Up Exceptions and Anomalies Identified During the Review Process

Attributes of Log Data

Audit Trail Review with Kibana, Athena, and GuardDuty

Audit Your Security Groups for Insecure Ports and Protocols

Change-Detection Solutions in AWS

Configure Activity Log Container Access to Private

Configure Storage Accounts to Use Customer Managed Keys

Create Activity Log Alert for Delete SQL Server Firewall

Create an Activity Log Alert for Create or Update Public IP Address

Create an Activity Log Alert for Delete Security Solution

Disabling Insecure Ports and Protocols

Enable Access Transparency to Monitor Google Cloud Engineer Access

Enable Alerting for Cloud Storage IAM Permission Changes

Enable Bucket Lock to Protect Sink Destinations from Modification

Enable Cloud Audit Logging Across Your Project

Enable Cloud DNS Logging for VPC Networks

Enable Logging of Read, Write, and Delete Requests for Blob Service

Enable Logging of Read, Write, and Delete Requests for Table Service

Enable Queue Storage Logging for Read Write Access

Ensure ALBs Have WAF ACLs Attached

Ensure Alerts Exist for Project Ownership Changes

Ensure Alerts are Received for VPC Network Changes

Ensure Diagnostic Setting Captures Appropriate Categories

Ensure Log Alert Exists for Create or Update Network Security Group

Ensure Logging for AppServiceHTTPLogs

Ensure Network Security Group Flow Logs Are Sent to Log Analytics

Ensure RDS Instances are Only Accessible by Internal IPs

Ensure That a Diagnostic Setting Is Enabled

Ensure an Activity Log Alert Exists for Delete Public IP Address

Ensuring Role Assumption is Logged

Establish a Log Metric Alert for Configuration Changes in SQL Instances

Filters and Alarms in CloudWatch

Generate Log Metric Alerts for Custom Role Changes

GuardDuty Alerts for Control Failures

Historically View Project Resources in Asset Inventory

How to Edit Inbound Traffic Rules for Default Security Groups

Identify Unrestricted Access to Ports for Security Groups

Identify if EC2 Instances Are Directly Connected to the Internet

Introduction to Amazon CloudWatch

Leverage Google Cloud Engineers by Granting Access Approval

Log and Retain All Relevant Activities

Logging Tools in AWS

Logging Web ACL Data in Amazon Kinesis

Monitor Your Environment with Network Watcher

Monitor for "Delete Network Security Groups" Through Log Alerts

PCI Requirement 10 – Track and Monitor all Access to Network Resources and Cardholder Data

PCI Requirement 10.1 – Implement Audit Trails to Link all Access to System Components

PCI Requirement 10.2 – Implement Automated Audit Trails for all System Components

PCI Requirement 10.2.1 – All Individual User Accesses to Cardholder Data

PCI Requirement 10.2.2 – All Actions Taken by Any Individual with Root or Administrative Privileges

PCI Requirement 10.2.3 – Access to All Audit Trails

PCI Requirement 10.2.4 – Invalid Logical Access Attempts.mp4

PCI Requirement 10.2.5 – Use of and Changes to Identification Accounts with Root Privileges

PCI Requirement 10.2.6 – Initialization, Stopping, or Pausing of the Audit Logs

PCI Requirement 10.2.7 – Creation and Deletion of System-Level Objects

PCI Requirement 10.3 – Record at Least the Following Audit Trail Entries for All System Components

PCI Requirement 10.3.1 – User Identification

PCI Requirement 10.3.2 – Type of Event

PCI Requirement 10.3.3 – Date and Time

PCI Requirement 10.3.4 – Success or Failure Indication

PCI Requirement 10.3.5 – Origination of Event

PCI Requirement 10.3.6 – Identity or Name of Affected Data, System Component, or Resource

PCI Requirement 10.4 – Using Time-Synchronization Technology, Synchronize All Critical Systems

PCI Requirement 10.4.1 – Critical Systems Have the Correct and Consistent Time

PCI Requirement 10.4.2 – Time Data is Protected

PCI Requirement 10.4.3 – Time Settings Are Received from Industry-Accepted Time Sources

PCI Requirement 10.5 – Secure Audit Trails so They Cannot Be Altered

PCI Requirement 10.5.1 – Limit Viewing of Audit Trails to Those with a Job-Related Need

PCI Requirement 10.5.2 – Protect Audit Trail Files from Unauthorized Modifications

PCI Requirement 10.5.3 – Promptly Back Up Audit Trail Files to a Centralized Log Server

PCI Requirement 10.5.4 – Write Logs for External-Facing Technologies onto a Secure Device

PCI Requirement 10.5.5 – Use File-Integrity Monitoring or Change-Detection Software on Logs

PCI Requirement 10.6 – Review Logs and Security Events for All System Components

PCI Requirement 10.7 – Retain Audit Trail History for at Least One Year, with Three Months Available

PCI Requirement 10.8 –Implement a Process for the Detection of Failures of Critical Control Systems

PCI Requirement 10.8.1 –Respond to Failures of Any Critical Security Controls in a Timely Manner