AWS VPC Internet Gateways

- aws networking

This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.

Internet Gateways in a VPC provide Internet connectivity to hosts in public subnets. They are horizontally scaled, redundant, highly available, and managed by Amazon. To enable Internet access to or from a VPC, four things must be done:

  1. Attach an Internet gateway to the VPC.
  2. Create a route to the IGW
  3. Ensure your hosts have public Intenret addresses
  4. Configure NACLs and Security Groups to allow Internet access

Describe an IGW with the AWS CLI

$ aws ec2 describe-internet-gateways

Output:

{
    "InternetGateways": [
        {
            "Tags": [],
            "InternetGatewayId": "igw-c0a643a9",
            "Attachments": [
                {
                    "State": "available",
                    "VpcId": "vpc-a01106c2"
                }
            ]
        },
        {
            "Tags": [],
            "InternetGatewayId": "igw-046d7966",
            "Attachments": []
        }
    ]
}

Create an IGW with the AWS CLI

$ aws ec2 create-internet-gateway

Output:

{
    "InternetGateway": {
        "Tags": [],
        "InternetGatewayId": "igw-c0a643a9",
        "Attachments": []
    }
}

Attach an IGW to a VPC with the AWS CLI

$ aws ec2 attach-internet-gateway --internet-gateway-id igw-c0a643a9 --vpc-id vpc-a01106c2

Create a default route out the IGW with the AWS CLI

$ aws ec2 create-route --route-table-id rtb-22574640 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-c0a643a9

Configure NACL to allow access with the AWS CLI

Allow inbound UDP DNS traffic:

$ aws ec2 create-network-acl-entry --network-acl-id acl-5fb85d36 --ingress --rule-number 100 --protocol udp --port-range From=53,To=53 --cidr-block 0.0.0.0/0 --rule-action allow

Configure Security Group to allow access with the AWS CLI

See egress and ingress API docs.

Detatch an IGW with the AWS CLI

$ aws ec2 detach-internet-gateway --internet-gateway-id igw-c0a643a9 --vpc-id vpc-a01106c2

Delete an IGW with the AWS CLI

$ aws ec2 delete-internet-gateway --internet-gateway-id igw-c0a643a9

Egress-Only IGW

Egress Only IGWs are used for IPv6 connectivity that is outbound only. For IPv4, use a NAT gateway.

Sources

VPC Internet Gateway Egress Only Internet Gateway VPC User Guide Scenarios adn Examples