What is an Egress only Internet Gateway

Lab Details

  1. This lab walks you through the steps to create a VPC with IPv6 enabled and launch an EC2 instance in that VPC. Next you will create and configure the Egress only IGW in  the VPC and understand its use.

  2. You will practice the lab using VPC and EC2.

  3. Duration: 90 minutes

  4. AWS Region: US East (N. Virginia) us-east-1


What is an Egress only Internet Gateway?

  • An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component. 

  • It allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.

  • IPv6 addresses are globally unique, and are therefore public by default.

  • If you want your instance to be able to access the internet, but you want to prevent resources on the internet from initiating communication with your instance, you can use an egress-only internet gateway.

  • An egress-only internet gateway is stateful: it forwards traffic from the instances in the subnet to the internet or other AWS services, and then sends the response back to the instances.

What is a VPC?

  • VPC stands for Virtual Private Cloud.

  • It’s a custom-defined virtual network within the AWS Cloud.

  • Users can logically create their personal network, designing and implementing a separate and independent network that would operate in the AWS Cloud.

  • Primary components are : Subnets, IP addresses, NAT Devices (Instances & Gateways), Route Tables, Internet & Virtual Private Gateways, Access Control Lists, Security groups, VPC Endpoints.

  • A subnet is a segment of the VPC IP address range, where we can launch EC2 Instances, RDS, and other AWS resources.

  • Subnet are further classified as Public and Private.

  • Public subnets hold resources that can be accessed from the Internet.

  • Common attributes for instances in Public Subnets to have are:

  • Elastic IP (EIP) address or Public IP address attached to the EC2 instance.

  • IGW attached to the VPC.

  • The subnet must have a route table entry with destination as internet gateway (IGW)

  • Security groups and NACLs should not block remove access.

  • Public subnets are associated with a route table that directs subnet traffic to the internet using an Internet Gateway.

  • Private subnets hold resources that can be accessed from within the VPC network.

  • Multiple subnets can be associated with a single route table. However, a single subnet cannot be associated with multiple route tables.

  • Route tables hold sets of rules, called routes that are used to determine where the traffic is directed.

  • Every subnet in a VPC is linked to the route table.

  • Primary or Main route tables are the ones that automatically come with your VPC.  They control the routing for all subnets that are not explicitly associated with any other route table.

  • The default route table cannot be deleted.

  • Custom route tables are the ones you create for your VPC, and you can add routes as needed.

  • Custom route tables can be deleted when not required.

  • Internet Gateway (IGW) is a virtual router which helps a VPC connect to the Internet.

  • By default, instances that are launched in a VPC cannot communicate with the Internet. To enable Internet access, Internet gateway needed to be attached to the VPC.

  • Public subnets gets connected to IGW through route tables to get accessed over the Internet.

  • Internet Gateways are horizontally scalable, highly available and redundant.

  • EIP, Elastic IP address is a static IPv4 address used by AWS to manage its dynamic cloud computing services.

  • It is associated with an AWS Account, and you can use it to mask if an instance failure occurs i.e., if a server fails, we can map this IP address to another server and keep moving without any issues.

  • NAT devices can be either an Instance / Gateway residing in Public subnet, (to which an EIP is assigned).

  • NAT devices help instances in Private subnets interact with the Internet.

  • Access Control List (ACL) is an optional layer of security that acts as a firewall for controlling network traffic in and out of the subnet.

  • Rules are defined with the ACL for allowing or denying network traffic either on ports / IP addresses.

Case study

  • Most of the internet service providers still use IPv4 protocol and because of this you can’t test the IPv6 from your network.

  • To use the IPv6 protocol, you need to configure your physical public router setting that you use at your home/ office.

  • Any wrong configuration may cause hardware or network failure.

As a solution, we will be creating an extra VPC with IPv6 enabled (Client_Network) to test the actual VPC with Egress only Internet gateway (MyVPC_Network). In this lab you will use the Client VPC network to test IPv6 connectivity because AWS supports both protocols.

Architecture Diagram

Task Details

  1. Launching Lab Environment.

  2. Create a Server VPC and Enable IPv6.

  3. Create and attach an Internet Gateway.

  4. Create a Public subnet.

  5. Create a Public Route Table and associate it with the subnet.

  6. Add the public Route in the Route table.

  7. Create an EC2 Instance.

  8. Create a Client VPC and Enable IPv6.

  9. Create and attach an Internet Gateway.

  10. Create a Public subnet.

  11. Create a Public Route Table and associate it with the subnet.

  12. Add the public Route in the Route table.

  13. Create an EC2 Instance.

  14. Test the connectivity.

  15. Create and attach an Egress only Internet Gateway.

  16. Add the Egress only IGW Route in the Route table.

  17. Test the connectivity.

  18. Validation of the lab.

  19. Deleting AWS resources