Internet Gateway (IGW)
Internet Gateway (IGW) is an entry point to the VPC from the public.
- IGW provides NAT (Network Address Translation) for instances that have a public IP assigned:
- Translation between public IP to Private IP
- Only 1 IGW can be attached to a VPC.
- The default VPC is already attached to an IGW.
Egress Internet Gateway
Egress IGW is an outgoing-only internet gateway for IPv6-enabled resources.
- Egress IGW is used for IPv6 traffic only.
- It allows IPv6 traffic from VPC to access to the internet.
- It denies any outside traffic back into the VPC.
NAT (Network address translation)
NAT remaps source IPs or destination IPs. (It translates private IPs to public IPs and vice versa.)
- Static NAT
- A private IP is mapped to a public IP at a 1:1 ratio. (such as Internet Gateway).
- Dynamic NAT
- A range of private IPs are dynamically mapped to one or more public IPs (Home router or NAT Gateways).
- To achieve high availably, create one dynamic NAT per AZ.
Simply, NAT Gateways provides the outgoing-only internet access from the private instances.
- NAT Gateway enables instances in a private subnet to connect to the internet or other AWS resources but prevent the internet from initiating a connection to private instances.
- NAT Gateway uses an Elastic IP. The Elastic IP address cannot be changed after it is associated with the NAT Gateway.
- NAT Gateway only allows incoming traffic if a request is originated from an instance in a private subnet.
- NAT Gateway understands and allows session traffic.
- NAT Gateway must be created in a public subnet.
- The private subnet’s route table needs to be updated to route internet-bound traffic to the NAT Gateway.
- NAT Gateway does not support IPv6. You need to use the egress-only internet gateway instead.
- NAT Gateway is redundant in the AZ and auto-scale for high availability.
- It supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps.
- For fault tolerance, create NAT gateway in each AZ and change the route table of the private subnets to use the NAT Gateway in the same AZ.
- If you need to send traffic to S3 or DynamoDB that are in the same region, set up a gateway endpoint and route the traffic through the gateway endpoint instead of the NAT gateway.
- It is an instance in a public subnet that plays the same role as NAT Gateway.
- Disable Source/Destination check if it works correctly.
- Legacy feature in AWS – not highly available and might not handle large workload.
Bastion Hosts (Jump-boxes)
- A special host (e.g. EC2 instance) that sits at the perimeter (public subnet) of a VPC and functions as a secure entry point to the private parts of VPC.
- Unlike NAT Gateway (, which provide the internet access), you do perform admin tasks of private instances.
- Allow updates or configuration tweaks remotely for private subnets.
- Other private instances are connected to via SSH (Linux) or RDP (Windows) from the bastion.
To make bastion hosts highly available:
- [Option 1] You can put bastion hosts in multiple public subnets (multi-AZs) and place the network load balancer for SSH connection: for production but expensive.
- [Option 2] You can put a host in one AZ with a fixed EIP. And then setup the auto scaling group for the bastion host with minimum = 1 and maximum = 1. Use the user data script to provision the same EIP for a new host: cheaper but not fault-tolerant with some down time.