FollowKMan

Creating a Windows NAT in Amazon Web Services (AWS)

Posted on Nov 20, 2012

As I’ve probably stated before, I use Amazon Web Services on a daily basis in my work, and recently I’ve been considering moving my own private hosting to them (For this very blog, for example).

The problem I have with Amazon Web Services, is that it seems to me that they should stick a big ‘BETA’ sticker on the front of it. I say this because although AWS has a lot of genius and good ideas, as well as being very affordable, it is somewhat buggy. There are also a lot of unexplained and odd things that happen when you do more advanced things within its infrastructure.

For examples of these glitches, have a look at the AWS Support Forums.

Now, onto the issue at hand. Within AWS, if running a VPC (Virtual Private Cloud), you can spin up what is called a ‘NAT Instance’, which essentially does what it says (Performs NAT, provides other instances with Internet access). This instance is a locked down Linux image that you’re unable to modify, which is very wasteful. Something I’ve tried before (And failed) is to create my own NAT, running in Windows or Linux, and this is possible… But it’s not exactly straightwarward.

This time I’ve decided to create a Windows 2008 R2 NAT.
I’ve searched high and low for some ideas on how to do this and also if there are any oddities to be aware of when working within AWS’s infrastructure (I know very well, that something that appears straightforward can be made very complicated when doing it within AWS).

So, I’ve managed to do it and thought I would publish my howto, which is been constructed pulled together from all the various bits of Windows knowledge that I have as well as some random AWS articles I’ve seen here and there. Most importantly, I have seen nowhere (And I mean NOWHERE) which puts this information into one place. So here it is. Bear in mind that you’ll need some prior knowledge of AWS to understand some of this, which I cant teach within this article.

Assumptions here are:
-You have a VPC created
-Your have 2 subnets in your VPC (For this exercise 10.0.0.0/24 ‘PublicSubnet’ & 10.0.1.0/24 ‘PrivateSubnet’)
-You have an Internet Gateway (IGW)
-You have created an instance in each VPC subnet (‘Instance1’ in PublicSubnet, ‘Instance2’ in PrivateSubnet)
-You have an understanding how resources are setup, such as DHCP Options, Route Tables, Access Control Lists (ACL), Security Groups, Elastic IPs (EIP), etc.
-‘Instance1’ is going to be your NAT server to provide internet access to ‘Instance2’

Actual Steps:

Instance1 has 2 interfaces: create a second interface to go alongside the first boot interface.
IPs: boot interface = 10.0.0.10 & Additional interface = 10.0.0.11
Instance2 has 1 interface: boot interface = 10.0.1.5
In AWS console, disable source/destination checking on both interfaces.
Add default route of 0.0.0.0/0 to Route table of ‘PrivateSubnet’, target of this route is interface2 of Instance1 (10.0.0.11).
Make sure an Elasitc IP is assigned to Interface1 of Instance1 (10.0.0.10)
Check your Security Groups and ACLs to provide access to Instance1 in PublicSubnet
Connect to Interface1 on Instance1 via RDP using EIPs address
Disable Windows Firewall
Use Server Manager to add “Network Policy and Access Services” role (including “Remote Access Service” and “Routing”)
After Installation completes, open Server Manager
Browse to “Roles” -> “Network Policy and Access Services” -> “Routing and Remote Access” (RRAS)
Right Click on RRAS and click “Configure and Enable Routing and Remote Access”
A wizard will appear.
Select the option “Network address translation (NAT)”
Select Interface1 when asked to select your internet connection.
On the left side tree, navigate to “IPv4” -> “Static Routes”
On the right side, Click “More Actions” -> “New Static Route”
Add a static route for Interface “Local Area Connection” (10.0.0.10)
Set Destination = 0.0.0.0, Network mask = 0.0.0.0, Gateway = 10.0.0.1
Add another static route but for Interface “Local Area Connection 2” (10.0.0.11)
Set Destination = 10.0.0.0, Network mask = 255.255.255.0, Gateway = 10.0.0.1
(It is important that you create a route to any local network subnet)
While still on Instance1, connect to Instance2 via RDP using private IP (10.0.1.5)
Open Internet Explorer on Instance2 and see if you can get to google.com or somewhere else external.

That should do it!

If you have problems with this after following all these steps, you may want to check your DNS settings and security Groups.

Troubleshooting:
I’ve encountered some interesting issues using this method.
I’ll do my best to come back here and update issues I encounter.

One issue has been Default Gateway settings dissapearing.
One way I have worked around this, is to fully set static IP configuration for the public connection (10.0.0.10 in the example above).
This way the public route is the default route out, and if the private system ‘forgets’ its Default Gateway, it doesnt matter so much.

Something else I have discovered is the above tip ‘set public IP manually’ doesnt always work, and can cause issues.
What you can do is to set both connections as static IP (Just check the ‘Details’ on the connection for what to enter) and leave out the Default Gateway for the INTERNAL/PRIVATE connection. This forces external connections through the PUBLIC/EXTERNAL connection (Which has a Gateway), and appears to work well with the static routes you should have created (You did create those static routes?).