NAT Gateway ¶
-
A NAT gateway is a
Network Address Translation (NAT)
service. -
You can use a NAT gateway so that instances in a
private subnet
can connect to services outside your VPC but external services cannot initiate a connection with those instances.
When you create a NAT gateway, you specify one of the following connectivity types:
-
Public
– (Default) Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet. You create a public NAT gateway in a public subnet and must associate an elastic IP address with the NAT gateway at creation. You route traffic from the NAT gateway to the internet gateway for the VPC. Alternatively, you can use a public NAT gateway to connect to other VPCs or your on-premises network. In this case, you route traffic from the NAT gateway through a transit gateway or a virtual private gateway. -
Private
– Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway. You can route traffic from the NAT gateway through a transit gateway or a virtual private gateway. You cannot associate an elastic IP address with a private NAT gateway. You can attach an internet gateway to a VPC with a private NAT gateway, but if you route traffic from the private NAT gateway to the internet gateway, the internet gateway drops the traffic.
Gateway and router difference
A gateway connects networks, and a router delivers data within a network. Gateways and routers are usually separate devices. However, it's becoming more common for their functions to be combined in a router. For example, in your home network, your router can also be your default gateway.
NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Previously, you needed to launch a NAT instance to enable NAT for instances in a private subnet.
Remember
A NAT gateway
is preferable to a NAT instance
because it is managed by AWS rather than you, the architect.