- In the EC2 console, disable source/dest checking by right clicking on the instance you want to use for NAT and choosing "Change Source / Dest Check".
- Create a security group having an inbound rule allowing ALL from 10.0.0.0/16 and associate it with your NAT instance.
- On the NAT instance, create /etc/network/if-pre-up.d/nat-setup as:
#!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j MASQUERADE
- chmod +x the script, then run it. This script will automatically be run when the machine reboots, so your NAT will survive a restart.
- Make sure all your private subnets have a default route to use the NAT instance as a gateway (create a route for 0.0.0.0/0 and associate it with your NAT instance in the route table(s) associated with your private subnets).
- test your NAT by pinging something from an EC2 instance in a private subnet
Note: the NAT instance needs to have an Elastic IP, of course.