How To Provide Internet Connectivity to AWS VPCs
Brien Posey shows how to enable Internet access as part of the Virtual Private Cloud creation process.
With some exceptions, the EC2 instances residing within an Amazon Web Services (AWS) Virtual Private Cloud (VPC) often require Internet connectivity. The default VPC is automatically configured to provide Internet access. If you create additional VPCs, however, those VPCs may or may not allow for Internet connectivity depending on how they were created. In this article, I want to show you how to enable Internet access as part of the VPC creation process. Then I want to show you how to use a gateway to provide Internet access to a VPC that wasn't initially set up to allow access to the Internet.
The Default VPC
As previously mentioned, the default VPC is automatically configured to allow Internet access. If you look at Figure 1, you can see that my default VPC has an ID of VPC-A933363CD. If I click on the Internet Gateways tab, you can see that there's an Internet gateway attached to my default VPC, as shown in Figure 2. I did not create this Internet gateway. AWS created the gateway automatically at the time that I set up my subscription.
AWS doesn't confine you to a single VPC. You have the ability to create additional VPCs on an as-needed basis. The way in which you create a VPC determines whether that VPC will initially allow for Internet connectivity.
If you were to click on the Your VPCs tab and then click on the Create VPC link, you'll be taken to a screen like the one shown in Figure 3. This screen essentially acts as a shortcut to creating VPCs. All you have to do is enter a name for the VPC, and an IPv4 CIDR block (an IP address range) and click on the blue button to create the VPC. As you can see in Figure 4, however, creating a VPC in this way doesn't result in the creation of an Internet gateway. But there is a button that you can use to create a new Internet gateway.
The VPC Wizard
The VPC creation method that I just showed you isn't the primary method for setting up a new VPC. If you want to create a VPC, and you want more control over the process, then you're better off using the VPC Wizard. To access this wizard, click on the VPC Dashboard tab (at the top of the screen, above the search box), and then click on the Start VPC Wizard button. This brings you to the screen shown in Figure 5.
I recently wrote a detailed article outlining the process of creating a VPC, so I'm not going to go through all of the steps all over again. What I do want to point out, however, is that the screen shown in Figure 5 gives you a choice of four basic VPC configurations. The choice that you make on this screen determines whether the VPC will be provisioned with Internet connectivity. The two options that will create a VPC with an attached Internet gateway are the first option, VPC with a Single Public Subnet, and the second option, VPC with Public and Private Subnets (NAT).
Adding an Internet Gateway Later On
You can manually add an Internet gateway to a VPC if you later realize that the VPC needs Internet connectivity. The process for doing so is relatively easy, although it's important to realize that I'm only covering a basic Internet gateway, not an egress-only gateway, or a NAT. So with that said, there are five basic steps to enabling Internet access for EC2 instances in VPCs that don't currently have a gateway. Those steps include:
- Create a Gateway
- Attach the gateway to the VPC
- Point the subnet's routing table to the gateway
- Provision EC2 instances with public IP addresses
- Check your security group (firewall) rules to make sure that traffic is allowed to flow between the instances and the Internet.
Now that you're familiar with the role that an Internet gateway plays in an AWS VPC, I'll show you how to manually provision a gateway in a follow-up article.
Brien Posey is a 16-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.