Networking itself is a big and complicated topic of AWS. In this article, I am sharing my experiences in setting up EIP + NAT + IGW + RT to establish a connection from AWS glue connections to a MySql database where my EIP is whitelisted.
Before we get into details here is a quick summary and their one-line description for the current setup.
- Internet Gateway (IGW)— Gateway that allows internet to your VPC
- Public subnet — A subnet to which IGW is attached
- Private subnet — A serverless instance where your Glue connector is running.
- Elastic IP Address (EIP)— A static ip address attached to NAT Gateway to ping internet (0.0.0.0/0) as source ip
- NAT Gateway (NAT) — A gateway that helps AWS Glue connector in a private subnet to communicate with external world via an EIP as source. Note: NAT must be attached to a Public Subnet
- Route Table (RT) — Table attached to each subnet for routing the traffic.
- Security Group (SG) — Security group that only allows internet traffic over an EIP (TCP) to RDS. Note: EIP must be defined as a CIDR block. e.g 111.222.333.444 ip should be 111.222.333.444/32
One of the reasons for writing this article is to focus on the importance of reading documentation meticulously and translating it into the actual configuration.
AWS official docs on NAT gateway has the following configuration.
Please note: A subnet attached to IGW itself is called a public subnet. So, in here, Custom RT and Main RT are attached to public and private subnets respectively.
My initial thoughts after looking at the diagram is how does my architecture know which 0.0.0.0/0 (internet traffic) to route where. As both RTs have internet traffic as destination and attached to both private and public.
Where is the missing link?
Two important steps when configuring NAT and IGW:
- The NAT gateway(NAT) sends the traffic to the internet gateway (IGW) using the NAT gateway’s Elastic IP address as the source IP address.
- Ensure that NAT Gateway has been created in a public subnet
I missed the second point. which wasted at least 4 hours to figure out the problem.
So, It all goes like this.
Private subnet has Route table which points to NAT gateway → NAT itself is configured on a public subnet knows the request is originated form a private server → NAT translates it to the Elastic IP (EIP) address and pings the outside world (internet) via IGW.
Here are the steps of how I configured a VPC with EIP for my ETL ingestion workload.
Allocate a Elastic IP address (EIP)
Create a NAT Gateway in public subnet with EIP attached
Open private subnet Route table (RT) and update as follows
Check if public subnet has a IGW attached. if not, attach igw to public subnet’s RT as follows
To test the configuration. I have launched a public mysql database in a different VPC and whitelisted my EIP in the security groups (SG).
As expected, local dbeaver client failed to connect to the database whereas the glue connection running on private subnet is able to connect to the database successfully.
I am writing a seperate article on AWS Glue JDBC custom connector (SAP).