[AWS Architect] (5) VPC – IGW & NAT

Internet Gateway (IGW)

Internet Gateway (IGW) is an entry point to the VPC from the public.

  • IGW provides NAT (Network Address Translation) for instances that have a public IP assigned:
  • Translation between public IP to Private IP
  • Only 1 IGW can be attached to a VPC.
  • The default VPC is already attached to an IGW.

Egress Internet Gateway

Egress IGW is an outgoing-only internet gateway for IPv6-enabled resources.

  • Egress IGW is used for IPv6 traffic only.
  • It allows IPv6 traffic from VPC to access to the internet.
  • It denies any outside traffic back into the VPC.


NAT (Network address translation)

NAT remaps source IPs or destination IPs. (It translates private IPs to public IPs and vice versa.)

  • Static NAT
    • A private IP is mapped to a public IP at a 1:1 ratio. (such as Internet Gateway).
  • Dynamic NAT
    • A range of private IPs are dynamically mapped to one or more public IPs (Home router or NAT Gateways).
    • To achieve high availably, create one dynamic NAT per AZ.

NAT Gateways

Simply, NAT Gateways provides the outgoing-only internet access from the private instances.

  • NAT Gateway enables instances in a private subnet to connect to the internet or other AWS resources but prevent the internet from initiating a connection to private instances.
    • NAT uses an Elastic IP and is assigned to a public subnet.
    • NAT Gateway only allows incoming traffic if a request is originated from an instance in a private subnet.
    • NAT Gateway understands and allows session traffic.
  • NAT Gateway must be created in a public subnet and the part of the private subnet’s route table.
  • Redundant in the AZ and auto-scale for high availability.
    • For fault tolerance, create NAT gateway in each AZ.

NAT Instances

  • It is an instance in a public subnet that plays the same role as NAT Gateway.
  • Disable Source/Destination check if it works correctly.
  • Legacy feature in AWS – not highly available and might not handle large workload.

Bastion Hosts (Jump-boxes)

  • A special host (e.g. EC2 instance) that sits at the perimeter (public subnet) of a VPC and functions as a secure entry point to the private parts of VPC.
  • Unlike NAT Gateway (, which provide the internet access), you do perform admin tasks of private instances.
  • Allow updates or configuration tweaks remotely for private subnets.
  • Other private instances are connected to via SSH (Linux) or RDP (Windows) from the bastion.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s