NAT Gateway and Private Subnets
Allow private subnet resources to reach the internet without being directly reachable using a managed NAT gateway.
The Private Subnet Internet Problem
Resources in private subnets have only private IP addresses and no route to an Internet Gateway, so they cannot initiate outbound connections to the internet. But they often need to reach the internet: to download OS patches, pull Docker images, call third-party APIs, or update software. The solution is to route private subnet traffic through a device that has internet access and performs NAT (Network Address Translation), hiding the private IPs behind a public IP. AWS provides two options: NAT Gateway (managed) and a self-managed NAT Instance (legacy).
NAT Gateway: Managed Outbound NAT
A NAT Gateway is a fully managed, highly available service that enables instances in private subnets to initiate outbound connections to the internet while blocking unsolicited inbound traffic. It lives in a public subnet, has an Elastic IP, and automatically scales up to 100 Gbps bandwidth. You never need to patch, scale, or manage the underlying infrastructure. The NAT Gateway translates the private source IP of outbound packets to its own EIP, then returns responses to the original private IP.
# Create a NAT Gateway in the public subnet
aws ec2 allocate-address --domain vpc # Get an EIP
aws ec2 create-nat-gateway \
--subnet-id subnet-public-1a \
--allocation-id eipalloc-12345678 \
--tag-specifications 'ResourceType=natgateway,Tags=[{Key=Name,Value=nat-gw-1a}]'All lessons in this course
- VPC Architecture and CIDR Blocks
- Internet Gateway and Route Tables
- NAT Gateway and Private Subnets
- Network ACLs vs Security Groups