Skip to content
Gallery
5. Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
VPC Peering
AWS Privatelink
VPC Endpoints
Difference between VPC Peering, PrivateLink, and VPC Endpoints
AWS Managed VPN
AWS VPN CloudHub
AWS Direct Connect (DX)
VPC Flow Logs
Misc
More
Share
Explore
Amazon Virtual Private Cloud (VPC)

icon picker
Internet and NAT Gateway

Internet Gateway (IGW) Overview

Definition: A horizontally scaled, redundant, and highly available VPC component.
Purpose:
Provides a target in VPC route tables for internet-routable traffic.
Performs network address translation (NAT) for instances with public IPv4 addresses.
Key Features and Configuration
Creation and Attachment:
Must be created and attached to a VPC.
Must be added to a route table and associated with relevant subnets.
Attributes:
No availability risk or bandwidth constraints.
Can support both IPv4 and IPv6.
Performs NAT between private and public IPv4 addresses.
Must be detached before deletion.
Only one IGW can be attached to a VPC at a time.
Public Subnet
A subnet is considered a public subnet if its route table includes a route to the Internet Gateway.
Gateway Terminology
Internet Gateway (IGW): AWS VPC side of the connection to the public Internet.
Virtual Private Gateway (VPG): VPC endpoint on the AWS side.
Customer Gateway (CGW): Representation of the customer end of the connection.
Enabling Internet Access
Attach IGW: Attach an Internet Gateway to your VPC.
Update Route Table: Ensure the subnet’s route table points to the Internet Gateway.
Global IP Address: Ensure instances have globally unique IP addresses (public IPv4, Elastic IP, or IPv6).
Security Rules: Ensure network access control and security group rules allow relevant traffic.
Route Table Configuration
IPv4:
Route to all destinations: 0.0.0.0/0.
Route to specific public IPv4 addresses.
IPv6:
Route to all destinations: ::/0.
Use Egress-Only Internet Gateway for outbound IPv6 access, preventing inbound access.
Egress-Only Internet Gateway
Purpose: Provides outbound Internet access for IPv6 addressed instances and prevents inbound access.
Stateful: Forwards traffic from instances to the Internet and returns responses.
Custom Route: Create a route for ::/0 to the Egress-Only Internet Gateway.
Usage: Preferred over NAT for IPv6.

NAT Instances

Management: Managed by you.
Purpose: Enable private subnet instances to access the Internet.
Placement:
Must be in a public subnet with a route to an Internet Gateway.
Private instances in private subnets must route through the NAT instance (default route 0.0.0.0/0).
Configuration:
Disable source/destination checks on the NAT instance.
Assign security groups to NAT instances.
Security groups must allow HTTP/HTTPS inbound from private subnets and outbound to 0.0.0.0/0.
Create a route from private subnets to the NAT instance.
Traffic and Performance:
Performance is based on instance type.
Potential bottlenecks; not highly available (HA) by default.
Achieve HA with Auto Scaling groups, multiple subnets in different AZs, and failover scripts.
Scale up by increasing instance size or using enhanced networking.
Scale out by deploying multiple NAT instances in multiple subnets.
Usage:
Can function as a bastion (jump) host.
Can monitor traffic metrics.
Not supported for IPv6 (use Egress-Only Internet Gateway).

NAT Gateways

Management: Managed by AWS.
Purpose: Fully managed NAT service replacing NAT instances on EC2.
Placement:
Must be created in a public subnet.
Uses an Elastic IP for the public IP.
Private instances in private subnets must route through the NAT gateway (default route 0.0.0.0/0).
For multi-AZ redundancy, create NAT Gateways in each AZ and update routes for private subnets to use the local gateway.
Performance and Scalability:
Up to 5 Gbps bandwidth, scalable up to 45 Gbps.
Limitations:
Cannot access VPC peering, VPN, or Direct Connect; specific routes needed in route tables.
Port forwarding is not supported.
Cannot use as a bastion host.
Traffic metrics are not supported.
Features:
Highly available within each AZ.
Automatically assigned a public IP.
No need to patch or maintain security groups.
More secure: No SSH access and no security groups.
No need to disable source/destination checks.
IPv6:
Use Egress-Only Internet Gateway for IPv6.
NAT Gateways operate on IPv4.
Differences between NAT Instance & NAT gateway
Column 1
Column 2
Column 3
1
NAT Gateway
NAT Instance
2
Managed
Managed by AWS
Managed by you
3
Availability
Highly available within an AZ
Not highly available (would require scripting)
4
Bandwidth
Up to 45 GPS
Depends on the bandwidth of the EC2 instance you selected
5
Maintenance
Managed by AWS
Managed by you
6
Performance
Optimized for NAT
Amazon Linux 2 AMI configured to perform NAT
7
Public IP
Elastic IP cannot be detached
Elastic IP that can be detached
8
Security Groups
Cannot associate with a security group
Can associate with a security group
9
Bastion Host
Not supported
Can be used as a bastion host
There are no rows in this table

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.