Open in app

Sign in

Write

Sign in

Let us Enter the NAT Gateway

Sabiha Ali
3 min readFeb 5, 2022

--

A NAT gateway is a Network Address Translation (NAT) service

The instances in the public subnet have public IPs. They can reach out to the internet easily.

The instances in the private subnet cannot communicate with the internet.

Typically, most of the workloads in cloud need access to the internet. Even private instances could need internet access for operating system patches or application upgrades.

So, we want to make sure that private instances can access the internet but no one from the internet can initiate a connection to the private instance.

Instead of exposing the instances to the internet, we can hide them behind a NAT Gateway. We create a NAT gateway in the public subnet and route our traffic through it.

To create a NAT Gateway we will need a subnet and an EIP( Elastic IP)

The route table of the subnet containing the NAT gateway should point the default route(0.0.0.0/0) to the Internet gateway. This is how we allow NAT Gateway access to the internet. Internet can then respond back to the NAT gateway.

The route table of the subnet containing the private instances should point the default route(0.0.0.0/0) to the NAT Gateway. This way the path of the traffic would be initiated from your workloads, through the NAT gateway, out to the internet.

The response would come to the NAT Gateway. The NAT Gateway would know that there was an initiation from the private subnet instance so the response would be allowed back to the instances.

But if there was an initiation from the internet to the instances , the only IP the internet would see is the EIP of the NAT Gateway. This time the NAT Gateway does not see the initiation from the private instances, so it will simply drop the packet.

Some interesting points to note

  1. Specify a public subnet for the NAT Gateway.
  2. It has to have an Elastic IP associated with it. When you delete the NAT Gateway he Elastic IP will get disassociated, but will not be released.
  3. You cannot have a security group with the NAT Gateway
  4. NAT gateway cannot send traffic over VPC endpoints, VPN connections, AWS Direct Connect, or VPC peering connections.
  5. It is highly available in an availability zone and managed by AWS.
  6. We cannot decide the size or type of NAT Gateway. Its a uniform offering.
  7. We can monitor the NAT Gateway using Cloudwatch

For more titbits on AWS

Pre signed URL

Envelope encryption

NACL and SGs

Availability and Durability

Happy Learning Guys!!!!!

By Sabiha Ali, Solutions Architect, ScaleCapacity

AWS
Aws Certification
Cloud Computing
Cloud Services
Cloud

--

--

Sabiha Ali

Written by Sabiha Ali

115 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams