Internet Gateways and NAT Gateways

Understanding how traffic flows between your VPC and the internet is essential. Two components govern this: the Internet Gateway (IGW), which provides full bidirectional internet access for public subnets, and the NAT Gateway, which gives private subnets outbound-only access. This lesson covers both in depth.

---

Internet Gateway (IGW)

An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component. It performs two functions:

1. Acts as a target in your route table for internet-routable traffic.
2. Performs Network Address Translation (NAT) between private and public IPv4 addresses for instances with a public IP.

Key Properties

Property	Detail
Scope	One IGW per VPC
Availability	Fully managed, highly available, no bandwidth cap
Cost	No hourly charge — you pay only for data transfer
State	Must be both created and attached to a VPC

How an IGW Works — Step by Step

1. An EC2 instance in a public subnet sends a packet destined for 8.8.8.8.
2. The subnet's route table has 0.0.0.0/0 → igw-xxxx.
3. The IGW translates the instance's private IP to its public IP (or Elastic IP) and forwards the packet to the internet.
4. The response arrives at the IGW, which translates the public IP back to the private IP and delivers the packet to the instance.

Instance (10.0.1.50)
     │
     ▼
Route Table: 0.0.0.0/0 → IGW
     │
     ▼
Internet Gateway
  - Translates 10.0.1.50 ↔ 54.200.10.5 (public IP)
     │
     ▼
Internet

Attaching an IGW

You create an IGW and then attach it to your VPC. A VPC can have at most one IGW.

# Create the IGW
aws ec2 create-internet-gateway

# Attach it to a VPC
aws ec2 attach-internet-gateway \
  --internet-gateway-id igw-abc123 \
  --vpc-id vpc-xyz789

Without an IGW

If no IGW is attached to the VPC, no subnet can be public — there is simply no route to the internet. All traffic remains internal.

---

NAT Gateway

A NAT (Network Address Translation) Gateway allows instances in private subnets to initiate outbound connections to the internet — for example, to download software updates, reach external APIs, or pull container images — while preventing the internet from initiating inbound connections to those instances.

Key Properties

Property	Detail
Placement	Deployed in a public subnet (needs an IGW route)
Elastic IP	Requires an Elastic IP address
Availability	Redundant within its AZ; not cross-AZ
Bandwidth	Starts at 5 Gbps, bursts to 100 Gbps
Cost	Hourly charge + per-GB data processing fee
Protocols	TCP, UDP, ICMP

How a NAT Gateway Works — Step by Step

1. An instance in a private subnet (10.0.10.20) sends a request to https://api.example.com.
2. The private subnet's route table has 0.0.0.0/0 → nat-xxxx.
3. The packet arrives at the NAT Gateway in a public subnet.
4. The NAT Gateway replaces the source IP (10.0.10.20) with its own Elastic IP (54.200.10.99) and forwards the packet through the IGW to the internet.
5. The response comes back to the NAT Gateway's Elastic IP, which translates it back to 10.0.10.20 and returns it to the private instance.

Private Instance (10.0.10.20)
     │
     ▼
Private Route Table: 0.0.0.0/0 → nat-xxxx
     │
     ▼
NAT Gateway (Elastic IP: 54.200.10.99)
     │
     ▼
Public Route Table: 0.0.0.0/0 → igw-xxxx
     │
     ▼
Internet Gateway → Internet

High Availability for NAT Gateways