Internet Gateway (IGW)
Internet Gateway (IGW) is an entry point to the VPC from the public.
- IGW provides NAT (Network Address Translation) for instances that have a public IP assigned:
- Translation between public IP to Private IP
- Only 1 IGW can be attached to a VPC.
- The default VPC is already attached to an IGW.
Egress Internet Gateway
Egress IGW is an outgoing-only internet gateway for IPv6-enabled resources.
- Egress IGW is used for IPv6 traffic only.
- It allows IPv6 traffic from VPC to access to the internet.
- It denies any outside traffic back into the VPC.
NAT (Network address translation)
NAT remaps source IPs or destination IPs. (It translates private IPs to public IPs and vice versa.)
- Static NAT
- A private IP is mapped to a public IP at a 1:1 ratio. (such as Internet Gateway).
- Dynamic NAT
- A range of private IPs are dynamically mapped to one or more public IPs (Home router or NAT Gateways).
- To achieve high availably, create one dynamic NAT per AZ.
Simply, NAT Gateways provides the outgoing-only internet access from the private instances.
- NAT Gateway enables instances in a private subnet to connect to the internet or other AWS resources but prevent the internet from initiating a connection to private instances.
- NAT uses an Elastic IP and is assigned to a public subnet.
- NAT Gateway only allows incoming traffic if a request is originated from an instance in a private subnet.
- NAT Gateway understands and allows session traffic.
- NAT Gateway must be created in a public subnet and the part of the private subnet’s route table.
- Redundant in the AZ and auto-scale for high availability.
- For fault tolerance, create NAT gateway in each AZ.
- It is an instance in a public subnet that plays the same role as NAT Gateway.
- Disable Source/Destination check if it works correctly.
- Legacy feature in AWS – not highly available and might not handle large workload.
Bastion Hosts (Jump-boxes)
- A special host (e.g. EC2 instance) that sits at the perimeter (public subnet) of a VPC and functions as a secure entry point to the private parts of VPC.
- Unlike NAT Gateway (, which provide the internet access), you do perform admin tasks of private instances.
- Allow updates or configuration tweaks remotely for private subnets.
- Other private instances are connected to via SSH (Linux) or RDP (Windows) from the bastion.