Add a Custom NAT instance in AWS VPC

In this tutorial, I am assuming that you have already created VPC with Public and Private subnets

modify vpc

In the above scenario, we’ll create a micro instance inside the public subnet with an IP, which will act as the gateway for all the instance(s) inside the private subnet (


Also, please create the separate Security Group for NAT instance:



After the creation of the NAT instance, you will notice, that it doesn’t have Public IP:


To Fix this, select the Elastic IPs from the VPC console and click on “Allocate New Addresses“, select the VPC from “EIP used in” and click on “Yes,Allocate” :


Assign the allocated Elastic IP to the NAT instance:


Now, NAT instance has also Public IP:


From the EC2 console right click on NAT instance and select “Change Source / Dest. Check”:


Click on “Yes,Disable

Screen Shot 2014-04-23 at 10.51.21 am

Connect to the NAT instance using terminal emulation software (i.e. putty), and allow the ip forwarding on it:


Uncomment the following line:


nat2Note: Please reboot the machine after enabling the ip forwarding or run this command “sysctl -p

Issue the Iptables command for MASQUERADE:

iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

nat3Note: Please adjust your Subnet in above iptables command.

Modify the NAT instance security group to allow all or desired inbound traffic from private subnet (In my case, or desired server.


Create a custom route, associate your private subnet(s) to it and make a default route to use the NAT instance as a gateway:



Testing from Server inside the Private Subnet:




Edit the /etc/rc.local file:

vi /etc/rc.local


Add following to the rc.local before “exit 0“, so that, MASQUERADE will automatically enable at boot time:

iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE


Please Remember me in your prayers!

Enjoy 🙂


7 responses to “Add a Custom NAT instance in AWS VPC

  1. Pingback: Site-to-Site VPN between AWS VPC and Customer Site using Linux | Lazy Geek -:)

  2. Pingback: Site-to-Site VPN between AWS VPC and Customer Site using Linux | Thoai Media

  3. Pingback: Selecting a NAT Instance Size on EC2 | Azavea Labs

  4. Chris March 2, 2015 at 11:44 pm

    thanks – very helpful

  5. Pingback: Install OpenVPN server using Ansible over AWS VPC | Lazy Geek -:)

  6. Pingback: Site-to-Site VPN between AWS VPC and Customer Site using Linux | shashanksingh24

  7. Luis August 22, 2016 at 6:52 am


    All is working fine except navigation from internet to my site in my web server is not working.

    How can I achieve this, I need my in ELB to have static ip, this scenario could work for me ?

    Thanks in advance..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: