AWS Networking Fundamentals

Core Networking Services

NAT Gateways VPC

In this guide, you’ll learn what NAT Gateways are, why they’re essential for private subnet internet access, and how to deploy and manage them in AWS.

Overview

When you run instances in private subnets, you often still need outbound internet connectivity—for OS updates, package downloads, and API calls—without exposing those instances to inbound traffic. NAT Gateways solve this by enabling secure, outbound-only internet access while keeping your servers hidden from unsolicited inbound connections.

The Challenge

You have an EC2 instance in a private subnet that needs to pull updates from the internet.

  • Attaching an Internet Gateway (IGW) and routing traffic through it turns your subnet public.
  • A public subnet exposes instances to inbound internet traffic, increasing security risk.

Warning

Avoid routing private instance traffic directly through an Internet Gateway, as this exposes them to inbound connections.

Introducing NAT Gateways

A NAT Gateway is a fully managed AWS service that allows instances in private subnets to send outbound traffic to the internet while blocking inbound traffic initiated from the internet. Key features include:

  • Outbound-only traffic with automatic source IP translation
  • Requires an Internet Gateway on the VPC for upstream connectivity
  • Elastic IP–backed for consistent public IPs

The image is a diagram illustrating a NAT Gateway setup within a VPC, showing four availability zones, each with a connection to the internet.

Deployment Steps

  1. Create or Attach an Internet Gateway
    • In the AWS Console under VPC → Internet Gateways, attach the IGW to your VPC.
  2. Configure a Public Subnet
    • Create a subnet and tag it as public.
    • Update its route table:
      • Destination: 0.0.0.0/0
      • Target: your Internet Gateway
  3. Launch a NAT Gateway
    • Go to VPC → NAT Gateways.
    • Select the public subnet and assign an Elastic IP.
  4. Update Private Subnet Routes
    • For each private subnet, modify its route table:
      • Destination: 0.0.0.0/0
      • Target: the NAT Gateway

Note

Each NAT Gateway requires an Elastic IP. Ensure you have available Elastic IPs or allocate new ones before deployment.

IGW vs NAT Gateway Comparison

FeatureInternet Gateway (IGW)NAT Gateway
Inbound ConnectionsAllowedBlocked (outbound-only)
Source IP PreservationYesNo (performs source NAT)
Managed ServiceYesYes
Public IP RequirementNo (automatic public IP on ENI)Elastic IP must be assigned
Use CasePublic subnet internet accessPrivate subnet outbound internet

Traffic Flow

  1. Private Instance → NAT Gateway
  2. NAT Gateway → Internet Gateway → Internet
  3. Return Traffic → Internet Gateway → NAT Gateway → Private Instance

Key Characteristics

  • Fully Managed: AWS handles provisioning, scaling, and health monitoring.
  • Automatic Scaling: Starts at 5 Gbps and can scale up to 100 Gbps.
  • AZ Isolation: Deploy one per Availability Zone (AZ) for high availability.
  • Billing: Hourly NAT Gateway charge + per GB data processed.

The image is a summary of NAT Gateways, highlighting their function, deployment on public subnets, use of Elastic IPs, and AZ-reliant service requirements.

Cost Considerations

Warning

NAT Gateways incur hourly charges per gateway and data processing fees. Monitor usage in AWS Cost Explorer to avoid unexpected costs.

High Availability

  • Deploy a NAT Gateway in each AZ where you have private subnets.
  • Update each private subnet’s route table to point to the AZ-specific NAT Gateway.
  • Consider combining with AWS Transit Gateway for multi-VPC designs.

Summary

  • Purpose: Enable outbound internet access for private subnets without inbound exposure.
  • Requirements: Internet Gateway, Elastic IP, public subnet for the NAT Gateway.
  • High Availability: One NAT Gateway per AZ.
  • Management & Billing: AWS-managed; pay hourly + per GB.

The image is a summary slide with points about NAT Gateway, including routing for private subnets, AWS management, and charging details.

Watch Video

Watch video content

Previous
Internet Gateway Demo