By design, resources in AWS are provisioned through the lens of security. When creating a new Virtual Private Network (VPC), access into this network from the outside world is restricted. In this article, we will go through the steps connecting a VPC to the internet. We will also review common connectivity issues faced reaching resources inside a VPC.
Attaching an Internet Gateway
The first step to enable VPC internet access is to attach an Internet Gateway. This is a VPC component that once attached, will enable resources inside your network to connect to the internet. From your AWS account, you can create a new Internet Gateway by selecting the “Internet Gateways” option on the VPC dashboard, and clicking “Create internet gateway”:
Once your Internet Gateway is created, you can attach it to your VPC. This will enable resources provisioned within this VPC’s subnets to accept connections from the internet.
Provisioning Inbound Rules
Like most resources provisioned within AWS, you will have to configure necessary security parameters to enable access for your use case. If you are hosting instances within your VPC that need to accept inbound connections from the internet, this must be explicitly configured. A basic method to accomplishing this is to use network Access Control Lists (ACLs). In the case of VPC subnets, this is set on an individual basis. Most VPCs will be set up with multiple subnets, so you will need to configure access for each one that you will utilize. If you are expecting traffic from anywhere on the web, you can set the source to 0.0.0.0/0 which will encompass all traffic. This can be further restricted to certain ranges or even discrete addresses depending on your use case. For example, to allow all HTTPS traffic (using port 443) you could configure as follows:
Public IP Assignment of Resources
Even if your VPC is set up correctly with an Internet Gateway attached, and your ACL is configured properly to allow the correct type of traffic through, resources within your VPC must have a public IP address assigned to be directly accessible from the internet. When creating a new EC2 resource for example, the option exists to automatically assign a public IP address:
Troubleshooting Connectivity Issues
In the event that an expected resource within your VPC is not reachable from the internet, there are a few common pitfalls worth investigating:
- Ensure that your VPC has an Internet Gateway attached
- Review ACLs for each subnet of your VPC will allow traffic from the appropriate source.
- Ensure that the resource you are trying to reach has a public IP address assigned.
It is increasingly common that IT departments utilize blacklists which disallow connections to be made to known IP address ranges in AWS. The reasoning is that bad actors may easily provision servers within these ranges for malicious purposes. While this can be true, it can cause problems with legitimate applications which also dynamically utilize this address space. Therefore, some less common situations are also advised:
- Ensure that local network permissions do not include blacklisted IP ranges to AWS resources.
- Ensure that connections from the local network can be routed through the internet to your target resource in AWS.
Did you know that RedLine13 offers a full-featured, time-limited free trial? Sign up now, and start testing today!