You manually launch a NAT AMI in a public subnet. The network is properly configured.
Security groups and network access control lists are property configured. Instances in a
private subnet can access the NAT. The NAT can access the Internet. However, private
instances cannot access the Internet. What additional step is required to allow access from
the private instances?
Enable Source/Destination Check on the private Instances.
Enable Source/Destination Check on the NAT instance.
Disable Source/Destination Check on the private instances.
Disable Source/Destination Check on the NAT instance.
Disabling Source/Destination Checks
Each EC2 instance performs source/destination checks by default. This means that the
instance must be the source or destination of any traffic it sends or receives. However, a NAT
instance must be able to send and receive traffic when the source or destination is not itself.
Therefore, you must disable source/destination checks on the NAT instance.
You can disable the SrcDestCheck attribute for a NAT instance that’s either running or
stopped using the console or the command line.