Connecting AWS NAT GW to the web

Question

I am currently using IGW in AWS is order to connect flask ec2s to outer api requests. I want to secure those servers from now on,

meaning - moving them into private ip ec2s and still getting api requests from outside.

I have tried using nat gw in order to communicate a private ip, but I see it is working only from inside to the internet and not the other way around.

How can I use nat gw for both directions (or any other solution for that matter), keeping the security of a private ip and a two way internet communication?

Answer 1

NAT Gateways do not allow inbound traffic into them (they're designed for allowing a private instance to connect to the internet).

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.

If you want to allow inbound communication to an instance that is in a private IP the following should be performed:

• For application ports (such as port 80 and 443) to allow public inbound access you would access these by putting a public load balancer in front of your application.
• For management ports (such as 22 and 3389) you would connect either via a VPN Connection/Direct Connect connection or you would use a Bastion/Jump server in a public subnet to hop into your hosts (avoid this option if possible).

Answer 2

NAT is used for the public outbound traffic.

For the public inbound traffic, use the Load Balancer with the publically opened security group and add the inbound rule from the load balancer to the API server. Then, the API server can be accessed by the load balancer only from the public.