Skip to content

NAT Gateway

This guide explains NAT Gateways, their importance for private subnet internet access, and how to deploy and manage them in AWS.

In this guide, you’ll learn what NAT Gateways are, why they’re essential for private subnet internet access, and how to deploy and manage them in AWS.

Overview

When you run instances in private subnets, you often still need outbound internet connectivity—for OS updates, package downloads, and API calls—without exposing those instances to inbound traffic. NAT Gateways solve this by enabling secure, outbound-only internet access while keeping your servers hidden from unsolicited inbound connections.

The Challenge

You have an EC2 instance in a private subnet that needs to pull updates from the internet.

  • Attaching an Internet Gateway (IGW) and routing traffic through it turns your subnet public.
  • A public subnet exposes instances to inbound internet traffic, increasing security risk.

Avoid routing private instance traffic directly through an Internet Gateway, as this exposes them to inbound connections.

Introducing NAT Gateways

A NAT Gateway is a fully managed AWS service that allows instances in private subnets to send outbound traffic to the internet while blocking inbound traffic initiated from the internet. Key features include:

  • Outbound-only traffic with automatic source IP translation
  • Requires an Internet Gateway on the VPC for upstream connectivity
  • Elastic IP–backed for consistent public IPs

The image is a diagram illustrating a NAT Gateway setup within a VPC, showing four availability zones, each with a connection to the internet.

Deployment Steps

  1. Create or Attach an Internet Gateway
  2. In the AWS Console under VPC → Internet Gateways, attach the IGW to your VPC.
  3. Configure a Public Subnet
  4. Create a subnet and tag it as public.
  5. Update its route table:
    • Destination: 0.0.0.0/0
    • Target: your Internet Gateway
  6. Launch a NAT Gateway
  7. Go to VPC → NAT Gateways.
  8. Select the public subnet and assign an Elastic IP.
  9. Update Private Subnet Routes
  10. For each private subnet, modify its route table:
    • Destination: 0.0.0.0/0
    • Target: the NAT Gateway

Each NAT Gateway requires an Elastic IP. Ensure you have available Elastic IPs or allocate new ones before deployment.

IGW vs NAT Gateway Comparison

Feature Internet Gateway (IGW) NAT Gateway
Inbound Connections Allowed Blocked (outbound-only)
Source IP Preservation Yes No (performs source NAT)
Managed Service Yes Yes
Public IP Requirement No (automatic public IP on ENI) Elastic IP must be assigned
Use Case Public subnet internet access Private subnet outbound internet

Traffic Flow

  1. Private Instance → NAT Gateway
  2. NAT Gateway → Internet Gateway → Internet
  3. Return Traffic → Internet Gateway → NAT Gateway → Private Instance

Key Characteristics

  • Fully Managed: AWS handles provisioning, scaling, and health monitoring.
  • Automatic Scaling: Starts at 5 Gbps and can scale up to 100 Gbps.
  • AZ Isolation: Deploy one per Availability Zone (AZ) for high availability.
  • Billing: Hourly NAT Gateway charge + per GB data processed.

The image is a summary of NAT Gateways, highlighting their function, deployment on public subnets, use of Elastic IPs, and AZ-reliant service requirements.

Cost Considerations

NAT Gateways incur hourly charges per gateway and data processing fees. Monitor usage in AWS Cost Explorer to avoid unexpected costs.

High Availability

  • Deploy a NAT Gateway in each AZ where you have private subnets.
  • Update each private subnet’s route table to point to the AZ-specific NAT Gateway.
  • Consider combining with AWS Transit Gateway for multi-VPC designs.

Summary

  • Purpose: Enable outbound internet access for private subnets without inbound exposure.
  • Requirements: Internet Gateway, Elastic IP, public subnet for the NAT Gateway.
  • High Availability: One NAT Gateway per AZ.
  • Management & Billing: AWS-managed; pay hourly + per GB.

The image is a summary slide with points about NAT Gateway, including routing for private subnets, AWS management, and charging details.

  • NAT Gateways allow subnets to talk to the internet but connections must be initiatied from within the VPC
  • Nat Gateways are deployed onto public subnets so that they have a public IP and internet access
  • Uses Elastic IPs
  • AZ-reliant services; need 1 NAT Gateway in each AZ
  • Route table for private subnets should point to NAT gateway
  • Managed by AWS
  • Charged for each hour that NAT gateawy is available and for each Gigabyte of data that it processes
  • A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 100 Gbps

This walkthrough explains how to configure an AWS NAT Gateway for internet access in a private subnet while blocking unsolicited inbound connections.

In this walkthrough, you’ll learn how to configure an AWS NAT Gateway to enable internet access for EC2 instances in a private subnet—while preventing unsolicited inbound connections from the internet. By the end, only instances that initiate outbound requests will receive responses.

1. Create a New VPC

  1. Open the VPC console and select Create VPC.
  2. Enter a Name tag (e.g., demo-vpc) and set the IPv4 CIDR block to 10.0.0.0/16.
  3. Leave IPv6 settings disabled and click Create.

The image shows the AWS Management Console interface for creating a VPC, with options for setting the name tag, IPv4 CIDR block, and other configurations.

2. Create a Private Subnet

This subnet will host your EC2 instance without a public IP.

  • Name: private-subnet
  • Availability Zone: e.g., us-east-1b
  • IPv4 CIDR block: 10.0.1.0/24

The image shows the AWS Management Console interface for creating a subnet within a VPC. It includes fields for VPC ID, subnet name, availability zone, and IPv4 CIDR block.

3. Launch an EC2 Instance in the Private Subnet

  1. Navigate to the EC2 console → Launch Instance.
  2. Select the Amazon Linux 2 AMI (or your preferred AMI).
  3. Under Network settings:
  4. Choose your demo-vpc and the private-subnet.
  5. Disable Auto-assign Public IP.
  6. Configure or select a security group (default settings are fine).
  7. Review and Launch. Name it private-server.

Because there’s no public IP, the instance cannot be reached directly from the internet.

The image shows an AWS EC2 instance launch configuration screen, detailing network settings, security group options, and a summary of the instance specifications.

4. Create and Attach an Internet Gateway

An Internet Gateway (IGW) is required to give public subnets internet access.

  1. In the VPC console, go to Internet GatewaysCreate Internet Gateway.
  2. Name it my-igw and click Create.
  3. Select the new IGW → ActionsAttach to VPC → choose demo-vpc.

The image shows an AWS Management Console screen displaying the "Internet gateways" section, with one internet gateway listed as attached to a VPC.

5. Create a Public Subnet

This subnet will host the NAT Gateway and must have a route to the IGW.

  • Name: public-subnet
  • Availability Zone: same or different (e.g., us-east-1b)
  • IPv4 CIDR block: 10.0.2.0/24

The image shows an AWS VPC dashboard with a notification indicating the successful creation of a subnet. The subnet details, including its ID and availability, are displayed.

6. Configure Route Tables

You need two route tables: one public and one private.

Separate route tables help isolate internet-facing and internal traffic.

Route Table Name Associated Subnet Default Route Target
public-route-table public-subnet Internet Gateway (my-igw)
private-route-table private-subnet (added after NAT creation)

Steps

  1. Create public-route-table → select demo-vpcCreate.
  2. Edit routesAdd route 0.0.0.0/0 → Target: Internet Gateway → choose my-igwSave.
  3. Associate with public-subnet.
  4. Create private-route-table → select demo-vpcCreate.
  5. Associate with private-subnet (no default route yet).

The image shows an AWS Management Console screen displaying details of a VPC route table, including route entries and their statuses. The route table has two routes, one for internet gateway access and another for local network access, both marked as active.

7. Deploy a NAT Gateway

In a public subnet, NAT Gateways allow private instances to access the internet securely.

  1. Go to NAT GatewaysCreate NAT Gateway.
  2. Name it my-nat-gateway.
  3. Subnet: public-subnet.
  4. Allocate a new Elastic IP.
  5. Click Create NAT Gateway.

The image shows an AWS Management Console screen displaying details of a newly created NAT gateway, which is currently in a pending state.

You can also use the AWS CLI:

bash theme={null} aws ec2 create-nat-gateway \ --subnet-id <public-subnet-id> \ --allocation-id <eip-allocation-id>

8. Update the Private Route Table

After the NAT Gateway becomes available:

  1. Open private-route-tableEdit routes.
  2. Add route 0.0.0.0/0 → Target: NAT Gateway → select my-nat-gateway.
  3. Save.

Now, instances in private-subnet will send outbound traffic through the NAT Gateway while remaining inaccessible from the internet.

9. Plan for High Availability

NAT Gateways are zonal resources. To avoid a single point of failure:

  • Deploy one NAT Gateway per Availability Zone.
  • Update each private route table to point to the NAT Gateway in its own AZ.

If the AZ with your NAT Gateway goes down, all instances using it lose internet access.

The image shows an AWS Management Console screen displaying details of a public subnet within a Virtual Private Cloud (VPC). It includes information such as the subnet ID, state, IPv4 CIDR, and availability zone.