NAT Gateway
π What is a NAT Gateway?¶
A NAT (Network Address Translation) Gateway in AWS allows instances in a private subnet to access the internet for outbound traffic only (e.g., downloading packages, updates) without exposing them to inbound internet traffic.
β οΈ A NAT Gateway allows only outbound internet traffic from private subnets.
π‘ Why Use a NAT Gateway?¶
Because private subnets don't have a route to an Internet Gateway (IGW), resources inside them canβt access the internet.
NAT Gateway solves this:
| Use Case | Purpose |
|---|---|
| EC2 in private subnet | Download OS packages (e.g., apt, yum) |
| Lambda functions | Call 3rd-party APIs from private subnets |
| Container tasks (ECS, EKS) | Pull images, reach external endpoints |
π οΈ How NAT Gateway Works (Architecture)¶
VPC: 10.0.0.0/16
βββ Public Subnet: 10.0.1.0/24
β βββ NAT Gateway (Elastic IP attached)
β
βββ Private Subnet: 10.0.2.0/24
β βββ EC2 instance
β βββ Route: 0.0.0.0/0 β NAT Gateway
β Private EC2 β NAT Gateway β Internet
β Requirements to Use NAT Gateway¶
| Resource | Requirement |
|---|---|
| NAT Gateway | Must be in a public subnet |
| Elastic IP | Required (for external routing) |
| Route Table | Private subnet must route 0.0.0.0/0 β NAT GW |
| Internet Gateway | Must exist in the VPC for NAT Gateway to work |
π§ How to Create a NAT Gateway (Console)¶
-
Go to VPC Dashboard > NAT Gateways > Create NAT Gateway
-
Choose a public subnet
-
Assign an Elastic IP
-
Click Create
-
Go to Route Tables, edit your private subnet's route table, and:
- Add
0.0.0.0/0 β NAT Gateway ID
- Add
π» AWS CLI: Create NAT Gateway¶
Step 1: Allocate Elastic IP¶
Step 2: Create NAT Gateway¶
aws ec2 create-nat-gateway \
--subnet-id subnet-0abc1234 \
--allocation-id eipalloc-0abc1234 \
--tag-specifications 'ResourceType=natgateway,Tags=[{Key=Name,Value=MyNAT}]'
Step 3: Update Route Table¶
aws ec2 create-route \
--route-table-id rtb-0123456789abcde \
--destination-cidr-block 0.0.0.0/0 \
--nat-gateway-id nat-0abc1234
π NAT Gateway vs Internet Gateway¶
| Feature | NAT Gateway | Internet Gateway |
|---|---|---|
| Use Case | Outbound from private subnets | Inbound & outbound for public |
| Inbound Allowed | β No | β Yes |
| Needs Public IP? | β Yes (Elastic IP) | β Yes |
| Subnet Type | Deploy in Public Subnet | Route via Public Subnet |
| Common Use | Private EC2, Lambda | Web servers, ALB, bastions |
| Pricing | β Paid ($/hour + per GB data) | β Free |
π° NAT Gateway Pricing (as of 2025)¶
| Cost Component | Value |
|---|---|
| Per Hour | ~$0.045 per hour |
| Per GB of Data | ~$0.045 per GB out |
| In Region | Charges apply only for internet-bound |
β οΈ In high-scale setups, use NAT instances or centralized NAT in transit gateway if cost becomes an issue.
π‘ Best Practices¶
| Tip | Why it's Important |
|---|---|
| Use in each AZ | Avoid cross-AZ charges and increase availability |
| Use Auto-Scaling in multi-AZ | Ensure NAT GW redundancy |
| Tag your NAT Gateways clearly | For auditing and cost tracking |
| Monitor with CloudWatch | Track data usage, errors |
| Use VPC endpoints where possible | Save NAT traffic cost (e.g., S3, DynamoDB) |
π§ Common Mistakes¶
| Mistake | Fix |
|---|---|
| Creating NAT in private subnet | Must be in public subnet |
| Missing Elastic IP | Required during NAT creation |
| No route to NAT in private subnet | Update route table |
| Confusing NAT with Internet Gateway | NAT = outbound only, IGW = inbound + outbound |
π§ Summary¶
| Item | Description |
|---|---|
| What is NAT GW? | Allows outbound internet for private subnets |
| Public IP? | Yes (Elastic IP attached) |
| Inbound allowed? | β No |
| Cost | β Yes (per hour + GB) |
| Route required? | Private subnet must route 0.0.0.0/0 β NAT Gateway |
| Must be in | A public subnet |