15.lab natGW private internet access

1-CLICK Deployment https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://learn-cantrill-labs.s3.amazonaws.com/awscoursedemos/0003-aws-associate-vpc-private-internet-access-using-nat-gateways/a4l_vpc_privateinternet_nat.yaml&stackName=A4L

🛠️ DEMO: Implement Multi-AZ NAT Gateway Architecture (Step-by-step cực chi tiết)¶

🎯 Mục tiêu demo này¶

Triển khai 3 NAT Gateways trong 3 AZ để đạt regional resilience
Cấu hình route tables cho private subnets
Test outbound Internet connectivity từ private EC2 instance
Thực hành clean-up đầy đủ để không mất phí

📋 Kiểm tra điều kiện trước khi bắt đầu¶

Environment Setup¶

[x] Login với IAM admin user
[x] Region: US East 1 (N. Virginia)
[x] Account đã clean từ demo trước
[x] Có CloudFormation one-click deployment link

PHẦN 1: Deploy Base Infrastructure với CloudFormation¶

1.1. Apply CloudFormation Template¶

📍 CloudFormation Console → Create Stack

Template: One-click deployment link (provided with lesson)
Stack name: A4L
Parameters: Pre-populated
Capabilities: ☑️ Check acknowledgment
Action: Create Stack

⏳ Wait for: CREATE_COMPLETE status

1.2. Verify Infrastructure¶

📍 CloudFormation → A4L Stack → Resources tab

Key resource: A4L-InternalTest (EC2 instance)
Location: Private subnet (App-A)
Purpose: Test NAT Gateway functionality

Wait for:
  ✅ Instance status: 2/2 checks passed
  ✅ Session Manager connectivity available

1.3. Test Current Connectivity¶

📍 EC2 Console → A4L-InternalTest → Connect → Session Manager

Test command: ping 1.1.1.1
Expected result: ❌ No connectivity (timeout)
Reason: No NAT Gateway configured yet

PHẦN 2: Create NAT Gateways (3 AZ Design)¶

2.1. Create NAT Gateway A¶

📍 VPC Console → NAT Gateways → Create NAT Gateway

Name: A4L-VPC1-NATGW-A
Subnet: SN-Web-A (public subnet trong AZ-A)
Elastic IP: Click "Allocate Elastic IP"
Connectivity type: Public (default)
Action: Create NAT Gateway

2.2. Create NAT Gateway B¶

📍 Repeat process for AZ-B

Name: A4L-VPC1-NATGW-B  
Subnet: SN-Web-B (public subnet trong AZ-B)
Elastic IP: Allocate new Elastic IP
Action: Create NAT Gateway

2.3. Create NAT Gateway C¶

📍 Repeat process for AZ-C

Name: A4L-VPC1-NATGW-C
Subnet: SN-Web-C (public subnet trong AZ-C) 
Elastic IP: Allocate new Elastic IP
Action: Create NAT Gateway

⏳ Wait for: All 3 NAT Gateways → "Available" status

PHẦN 3: Create Private Route Tables¶

3.1. Route Table for AZ-A¶

📍 VPC Console → Route Tables → Create Route Table

Name: A4L-VPC1-RT-Private-A
VPC: A4L-VPC1
Action: Create

3.2. Route Table for AZ-B¶

📍 Create second route table

Name: A4L-VPC1-RT-Private-B
VPC: A4L-VPC1  
Action: Create

3.3. Route Table for AZ-C¶

📍 Create third route table

Name: A4L-VPC1-RT-Private-C
VPC: A4L-VPC1
Action: Create

PHẦN 4: Configure Default Routes¶

4.1. Add Route to RT-Private-A¶

📍 Select RT-Private-A → Routes tab → Edit Routes

Add Route:
  Destination: 0.0.0.0/0
  Target: NAT Gateway → A4L-VPC1-NATGW-A
Action: Save Changes

4.2. Add Route to RT-Private-B¶

📍 Select RT-Private-B → Routes tab → Edit Routes

Add Route:
  Destination: 0.0.0.0/0
  Target: NAT Gateway → A4L-VPC1-NATGW-B
Action: Save Changes

4.3. Add Route to RT-Private-C¶

📍 Select RT-Private-C → Routes tab → Edit Routes

Add Route:
  Destination: 0.0.0.0/0
  Target: NAT Gateway → A4L-VPC1-NATGW-C
Action: Save Changes

PHẦN 5: Associate Route Tables với Subnets¶

5.1. Associate RT-Private-A với AZ-A Subnets¶

📍 Select RT-Private-A → Subnet Associations → Edit

Associate with:
  ☑️ SN-Reserved-A
  ☑️ SN-App-A  
  ☑️ SN-DB-A

Action: Save Associations

5.2. Associate RT-Private-B với AZ-B Subnets¶

📍 Select RT-Private-B → Subnet Associations → Edit

Associate with:
  ☑️ SN-Reserved-B
  ☑️ SN-App-B
  ☑️ SN-DB-B

Action: Save Associations

5.3. Associate RT-Private-C với AZ-C Subnets¶

📍 Select RT-Private-C → Subnet Associations → Edit

Associate with:
  ☑️ SN-Reserved-C
  ☑️ SN-App-C
  ☑️ SN-DB-C

Action: Save Associations

PHẦN 6: Test NAT Gateway Functionality¶

6.1. Verify Connectivity¶

📍 Session Manager → A4L-InternalTest

Test command: ping 1.1.1.1
Expected result: ✅ Success! Packets received
Meaning: Private instance có Internet access qua NAT Gateway

Additional tests:
  ping google.com  ✅ DNS resolution works
  curl ifconfig.me  ✅ Shows NAT Gateway's public IP

6.2. Architecture Verification¶

🔄 Traffic flow đã hoạt động:

Private Instance (10.16.32.x) → 
Route Table (RT-Private-A) →
NAT Gateway A (in AZ-A) →
Internet Gateway →
Internet

✅ Multi-AZ resilient: Mỗi AZ có NAT Gateway riêng
✅ Fault tolerant: AZ fail không ảnh hưởng AZ khác

PHẦN 7: Clean-up (Quan trọng để tránh phí)¶

7.1. Disassociate Route Tables¶

📍 Cho mỗi RT-Private (A, B, C):

Route Tables → Select RT → Subnet Associations → Edit
Action: Uncheck tất cả subnets → Save
Result: Subnets về lại Main Route Table

7.2. Delete Route Tables¶

📍 Route Tables → Select all RT-Private-* → Actions → Delete

Confirm: Delete Route Tables
Wait: Verify deletion completed

7.3. Delete NAT Gateways¶

📍 NAT Gateways → Select each NAT Gateway → Actions → Delete

For each (A, B, C):
  Type: "delete" to confirm
  Click: Delete

⏳ Wait: All status = "Deleted" (not "Deleting")

7.4. Release Elastic IPs¶

📍 VPC Console → Elastic IPs

For each allocated IP:
  Select IP → Actions → Release Elastic IP Address
  Confirm: Release

⚠️ Important: Must release to avoid charges!

7.5. Delete CloudFormation Stack¶

📍 CloudFormation Console → A4L Stack

Actions: Delete Stack
Confirm: Delete
Wait: DELETE_COMPLETE status

Result: All resources cleaned up

📚 Kinh nghiệm thực tế & ghi nhớ¶

Key Learnings¶

✅ Multi-AZ NAT design requirements:
  - 1 NAT Gateway per AZ (not per region!)
  - 1 Route table per AZ
  - Each private subnet routes to NAT in same AZ
  - Elastic IP for each NAT Gateway

✅ Cost considerations:
  - NAT Gateway: ~$45/month + data charges
  - Elastic IP: Free while attached, $3.65/month if detached
  - Always clean up unused resources!

Common Mistakes¶

❌ Routing all AZs to 1 NAT Gateway → single point of failure
❌ Cross-AZ routing → unnecessary charges & latency  
❌ Forgetting to associate route tables → no connectivity
❌ Not releasing Elastic IPs → unexpected charges
❌ Not waiting for NAT Gateway "Available" status

Troubleshooting Checklist¶

🐛 If private instance can't reach Internet:

1. ✅ NAT Gateway status = Available?
2. ✅ Route table has 0.0.0.0/0 → NAT Gateway?
3. ✅ Route table associated with correct subnets?
4. ✅ Private subnet & NAT Gateway in same AZ?
5. ✅ Public subnet (with NAT) has IGW route?
6. ✅ Security Groups allow outbound traffic?
7. ✅ NACLs not blocking traffic?

✅ Tóm tắt achievements¶

✅ Multi-AZ NAT Architecture implemented (production-ready!)
✅ Regional resilience achieved (AZ failure won't break others)
✅ Private Internet access working (ping 1.1.1.1 success)
✅ Proper clean-up completed (no unexpected charges)

Sau demo này, bạn đã master được multi-AZ NAT Gateway design - một skill cực quan trọng cho production AWS environments! Architecture này ready cho real-world deployment và handle được enterprise-scale traffic! 🚀

Tip: Save kiến trúc này làm template cho các project tương lai!