I’ve got a number number of private subnets within my AWS VPC that are all nice and segregated from each other. But every time I light up a new Ubuntu instance and tell it to ‘apt-get update’ it times out. Now, since these are private subnets I can get away with opening ports wide open, but AWS is always cranky at me for doing so. I feel slightly vindicated that the same behaviour is asked about on Stack Overflow often too, but anyways, I figured it out this week. Finally. And as usual with anything wonky network-wise in AWS it was a Security Group problem.

  1. First thing, read the docs carefully.
  2. Read it again, more careful this time
  3. Setup the Routing. I actually created 2 custom routing tables rather than modify the Main one; explicit is better than implicit (thanks Python!)
  4. Create an ‘apt’ Security Group to be applied to the NAT instance with the inbound rule, from your private VPC address space for HTTP (80), HTTPS (443) and HKP (11371). HTTP is the default protocol for apt but if you are adding new repos the key is delivered via HTTPS and then validated against the central key servers via HKP. You’ll need outbound rules for those ports too per the docs

And now you should be able to lock down your servers a bit more.