AWS core servicesNetworkingNetworking and securityIntermediate46 min read

What Is NAT Gateway in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A NAT Gateway is like a secure front door for computers in a private network. It lets those computers send traffic out to the internet to download updates or communicate with external services, but it blocks anyone on the internet from trying to connect directly back to those computers. This keeps the internal systems safe from direct external attacks while still allowing them to access the resources they need.

Common Commands & Configuration

aws ec2 create-nat-gateway --subnet-id subnet-public1 --allocation-id eipalloc-12345678

Creates a NAT Gateway in the specified public subnet. The allocation-id is the Elastic IP address that will be used for outbound traffic. You must provide both the subnet ID and the Elastic IP allocation ID.

The exam might ask you to complete the command. Remember that you need a pre-allocated Elastic IP (not just an IP address) and that the subnet must be public (with a route to an IGW).

aws ec2 create-route --route-table-id rtb-12345678 --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-0abcd1234efgh5678

Adds a route in a private subnet's route table that sends all internet-bound traffic to the specified NAT Gateway. This is required after creating the NAT Gateway for private instances to use it.

This step is often the missing piece in exam scenarios. Without this route, private instances cannot reach the internet even if the NAT Gateway exists. You must associate the route table with the private subnet.

aws ec2 describe-nat-gateways --filter Name=state,Values=available

Lists all NAT Gateways that are available. Useful for monitoring and automation. You can filter by state, VPC ID, or subnet.

The exam tests that you know the states: pending, available, deleting, and deleted. An available state means the gateway is ready to route traffic. A pending state means it's being provisioned.

aws ec2 delete-nat-gateway --nat-gateway-id nat-0abcd1234efgh5678

Deletes a NAT Gateway. After deletion, the associated Elastic IP is released, and any traffic destined to the NAT Gateway will be dropped. All connections through it will be terminated.

Deleting a NAT Gateway is irreversible. The exam may present a scenario where cost optimization is needed, and you should consider deleting unused NAT Gateways to save hourly costs.

aws ec2 describe-nat-gateways --query 'NatGateways[*].[NatGatewayId,State,SubnetId,CreateTime]' --output table

Outputs a table showing the ID, state, subnet, and creation time of all NAT Gateways. Useful for quick audits and troubleshooting.

Using --query and --output can be tested in the SysOps exam. You might be asked to identify which NAT Gateway is in a failed state or which is associated with which subnet.

aws ec2 modify-nat-gateway-attribute --nat-gateway-id nat-0abcd1234efgh5678 --attribute deleteProtection --value true

Enables deletion protection on an existing NAT Gateway to prevent accidental deletion. This is a safety feature for production environments.

The exam may ask about deletion protection as a best practice. Note that you cannot enable this during creation; you must modify after creation.

aws ec2 create-nat-gateway --subnet-id subnet-public1 --allocation-id eipalloc-12345678 --client-token myUniqueToken

Creates a NAT Gateway with an idempotency token to prevent duplicate creation in case of retries. The token must be unique per request.

Idempotency is a key concept for automation. The exam might test that using the same client token results in the same NAT Gateway being returned if the request is repeated.

aws ec2 create-tags --resources nat-0abcd1234efgh5678 --tags Key=Name,Value=Prod-NAT

Adds a tag to a NAT Gateway. Tags are important for cost allocation, resource management, and automation. You can tag during creation using the --tag-specifications parameter.

Tagging is a standard best practice across AWS exams. You might be asked to identify which command adds a tag to a NAT Gateway or how to filter by tags.

NAT Gateway appears directly in 239exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →

Must Know for Exams

The NAT Gateway is a highly testable concept across multiple certification exams. For the AWS Certified Cloud Practitioner, you are expected to understand the basic purpose of a NAT Gateway: it allows resources in a private subnet to access the internet while preventing inbound internet access. You might see questions that ask you to distinguish between an internet gateway and a NAT Gateway, or scenarios asking which service to use to enable a private EC2 instance to download patches. This is a fundamental cloud concept that appears frequently.

For the AWS Solutions Architect Associate (SAA-C03), the NAT Gateway is a primary objective. You must know how to design a multi-tier VPC architecture with public and private subnets. Expect scenario-based questions where you need to choose between a NAT Gateway, a NAT instance, and an internet gateway for a given requirement. You must understand high availability: deploying one NAT Gateway per Availability Zone and updating route tables accordingly. Questions may also cover cost optimization, such as when to use a NAT instance for low-traffic workloads versus a NAT Gateway for production. The exam also tests your knowledge of what protocols a NAT Gateway supports (TCP, UDP, ICMP) and what it does not support (e.g., FTP, IPSEC).

For the AWS SysOps Administrator Associate, you will need to understand how to configure and troubleshoot NAT Gateways. This includes creating the NAT Gateway, associating Elastic IPs, updating route tables, and monitoring with CloudWatch metrics (e.g., PacketsDropCount, ErrorPortAllocation). You may be asked to diagnose why instances in a private subnet cannot reach the internet, which often involves checking route tables, security groups, network ACLs, or verifying that the NAT Gateway is in a public subnet with a route to an internet gateway.

For CompTIA Network+ and Security+, the concept appears in the context of network address translation as a security control. You might be asked about the difference between SNAT and DNAT, or how NAT helps hide internal IP addresses. For CCNA, understanding NAT traversal and PAT is core, and AWS-specific implementation is less emphasized, but the underlying principles are the same.

For the Google Associate Cloud Engineer (Google ACE), the equivalent is Cloud NAT, and the concepts are very similar. For Microsoft Azure (AZ-104), the equivalent is Azure NAT Gateway or Azure Firewall. Questions on these exams will test your ability to provide outbound connectivity to private resources without exposing them.

Across all exams, the most common question types are scenario-based: "You have a VPC with a public and private subnet. You launch an EC2 instance in the private subnet that needs to download updates from the internet. How should you configure connectivity?" Other types include comparison questions: "What is the difference between a NAT Gateway and an Internet Gateway?" and troubleshooting: "An EC2 instance in a private subnet cannot access the internet. The route table has a default route pointing to a NAT Gateway. What is the likely issue?" (Answer: The NAT Gateway's subnet route table does not have a route to the internet gateway.)

Simple Meaning

Think of a large office building where some employees work in a secure, windowless inner room. These employees need to send letters and packages to the outside world, but they cannot receive any mail directly because their room has no outside address. To solve this, the building has a mailroom with a dedicated address. When an employee in the inner room wants to send out a letter, they drop it in an internal box. The mailroom takes that letter, stamps it with the building’s own address, and mails it. If someone on the outside replies, the reply comes to the mailroom, but the mailroom staff do not forward that reply to the inner room employee unless the employee had specifically requested it. The outside world never sees the inner room’s address; it only sees the building’s address.

In cloud computing, the secure inner room represents your private subnet, which contains resources like databases or application servers that should not be directly exposed to the internet. The mailroom is the NAT Gateway. Your private resources have private IP addresses that are not routable on the internet. When one of those resources needs to download a software patch or call an external API, it sends its traffic to the NAT Gateway. The NAT Gateway then changes the source IP address of that traffic from the private IP to its own public IP address, sends it out to the internet, and tracks the connection so that the response can be sent back to the correct private resource. This process is called Network Address Translation, or NAT.

The key security benefit is that the NAT Gateway is stateful: it remembers all the outbound connections it has made and only allows return traffic that is part of an established outbound session. An external attacker cannot send arbitrary traffic to your private instances because there is no direct path. The NAT Gateway simply discards any unsolicited inbound traffic. This is fundamental for building secure, multi-tier architectures in the cloud, where you want to protect your backend systems but still give them the connectivity they require to function correctly.

Without a NAT Gateway, you would have to place your instances in a public subnet with a public IP address to access the internet, which would expose them to direct attacks. You could also set up your own NAT instance on a virtual machine, but that requires manual configuration, patching, and high availability management. The NAT Gateway is a fully managed service that handles all of this automatically, scaling from a few connections to millions of connections as needed. It is a core building block for any cloud architecture that follows the principle of defense in depth.

Full Technical Definition

A NAT Gateway is a highly available, managed AWS service that performs Source Network Address Translation (SNAT) for outbound traffic originating from resources in a private subnet. It operates at the network layer (Layer 3) of the OSI model and is designed to translate the private, RFC 1918 IP addresses of instances into a single, elastic public IP address (or a set of addresses) for communication over the internet. The NAT Gateway is deployed in a specific Availability Zone (AZ) and is itself placed in a public subnet, which means it has a direct route to an internet gateway. However, it is not an internet gateway; it does not provide inbound port forwarding or static NAT for inbound connections. It only handles outbound-initiated traffic and the corresponding response traffic.

From a protocol perspective, the NAT Gateway handles TCP, UDP, and ICMP traffic. It does not support protocols that carry IP addresses in the application layer, such as FTP or SIP, unless additional application-layer gateways are used. For TCP and UDP, the NAT Gateway uses a port address translation (PAT) mechanism, also known as NAT overload. When an instance sends a packet, the NAT Gateway rewrites the source IP address to its own public IP and changes the source port to a unique port number from its ephemeral port range. It maintains a state table that maps this translated tuple (public IP, public port, destination IP, destination port) back to the original private tuple (private IP, private port). This stateful nature ensures that only packets belonging to an established session are allowed back into the private subnet.

The NAT Gateway is elastic: it automatically scales its bandwidth up to 45 Gbps by distributing traffic across multiple underlying hardware devices within the Availability Zone. For higher availability, you should deploy one NAT Gateway per Availability Zone and configure your route tables so that instances in each AZ use the NAT Gateway in that same AZ. This avoids cross-AZ data transfer charges and minimizes latency. A single NAT Gateway in one AZ, while simpler, creates a single point of failure if that AZ goes down.

Configuration is straightforward. You create the NAT Gateway in a public subnet, choose an Elastic IP address to associate with it, and then update the route table of your private subnet(s) to add a default route (0.0.0.0/0) pointing to the NAT Gateway ID. All traffic from private instances destined for the internet will then be forwarded to the NAT Gateway. The NAT Gateway itself must have a route to the internet gateway via the public subnet's route table. The NAT Gateway does not support Security Groups; you control traffic using Network ACLs at the subnet level and route tables.

In terms of cost, you are charged per hour that the NAT Gateway is provisioned and per gigabyte of data processed through it. Data processing charges are applied both for the outbound traffic and the inbound response traffic. Because of these costs, some organizations use NAT instances (a manually configured EC2 instance running NAT software) for low-traffic or test environments, but the managed NAT Gateway is strongly recommended for production workloads due to its managed availability, automatic scaling, and reduced operational overhead.

For exam purposes, it is critical to understand that a NAT Gateway cannot be used to connect to a VPC from the internet (inbound). That is the job of an internet gateway or a Virtual Private Gateway. Also, a NAT Gateway does not support VPC peering or VPN connections as a transit device. Traffic from a peered VPC using the NAT Gateway of another VPC is not supported. AWS now offers a NAT Gateway with a private IP address (no public IP) for use with AWS PrivateLink and Transit Gateway, but this is a separate offering called a private NAT Gateway. The standard NAT Gateway is always associated with a public IP.

Real-Life Example

Imagine a large university library that has a special, restricted reading room for rare books. This room has no windows and no direct entrance to the outside. Researchers inside the room cannot receive visitors directly, but they need to request books from other libraries across the country. To handle this, the library has a central interlibrary loan office located in the main lobby, which has its own street address. When a researcher in the rare books room wants a book from another library, they fill out a request form and drop it in a labeled box. The interlibrary loan office picks up the form, contacts the other library, and has the book mailed to the main library address. Once the book arrives, the interlibrary loan staff bring it to the rare books room for the researcher. The other library never knows the researcher’s exact location within the library; it only knows the central office’s address.

This analogy maps directly to a NAT Gateway. The rare books room is your private subnet with your EC2 instances or RDS databases. The researcher is an instance that needs to download patches from the internet. The interlibrary loan office is the NAT Gateway, located in the public subnet (the main lobby). The street address of the library is the Elastic IP address of the NAT Gateway. The request form is the outbound packet, and the private room’s location is the private IP address. Just as the interlibrary loan office does not allow external visitors to walk directly into the rare books room, the NAT Gateway does not allow unsolicited inbound traffic to reach your private instances.

Now consider a second scenario: the researcher wants to borrow a book from a library that requires a membership card. The interlibrary loan office presents the library card of the main library, not the researcher’s personal card. Similarly, the NAT Gateway presents its own public IP address to external servers, hiding the private IPs of your instances. If the external server were compromised, the attacker would see only the NAT Gateway’s IP and would have no way to know which private instance initiated the connection. This adds a layer of anonymity and protection.

The limitation is also clear in this analogy. If a delivery person from the other library wants to hand a package directly to the researcher, the interlibrary loan office will refuse that delivery because the researcher is in a restricted area and did not initiate the request. In the same way, a NAT Gateway drops any inbound traffic that is not part of an existing outbound session. This is intentional and is the fundamental security feature of the service.

Why This Term Matters

In modern cloud architecture, security is not just a feature; it is a fundamental requirement. One of the core security best practices is to place your application servers and databases in private subnets that have no direct internet access. This principle, known as least privilege, minimizes the attack surface by ensuring that only the necessary traffic paths exist. However, these private resources often need outbound internet access to perform essential tasks such as downloading operating system patches from Windows Update or Red Hat repositories, pulling container images from Docker Hub or Amazon ECR, sending logs to an external SIEM, or calling third-party APIs for payment processing or authentication.

Without a NAT Gateway, you would be forced to either launch these resources in public subnets with public IPs, which is a security risk, or use a bastion host or proxy server that you must manage yourself. Managing your own NAT instance (a Linux or Windows EC2 instance with iptables or Windows NAT) introduces operational overhead. You must handle patching, scaling, failover, and monitoring of that instance. If it goes down, all outbound connectivity for your private resources is lost, potentially breaking your entire application. The NAT Gateway eliminates this operational burden by being a fully managed service with built-in high availability and automatic scaling.

the NAT Gateway integrates with other AWS services. You can use it with VPC Flow Logs to monitor outbound traffic, with AWS Transit Gateway to centralize outbound connectivity across multiple VPCs, and with AWS PrivateLink for private access to services. It also supports jumbo frames and can handle a high volume of connections, making it suitable for large-scale production workloads.

From a cost perspective, while the NAT Gateway incurs hourly and data processing charges, it is often more cost-effective than running a highly available NAT instance cluster when you factor in the labor costs of managing the cluster, the cost of the EC2 instances, and the potential downtime. For organizations that need to comply with standards like PCI DSS or HIPAA, the ability to keep sensitive workloads in private subnets while still providing controlled outbound access is critical for passing audits.

the NAT Gateway matters because it is the standard, AWS-recommended way to provide outbound internet connectivity to private resources securely and reliably. It enables you to build secure, multi-tier architectures without compromising on functionality or operational simplicity.

How It Appears in Exam Questions

Exam questions about NAT Gateway typically fall into a few distinct patterns. The first and most common pattern is the architecture design question. You are given a scenario with a VPC, two subnets (public and private), and an EC2 instance in the private subnet that needs to download security patches from the internet. The correct answer involves creating a NAT Gateway in the public subnet, associating an Elastic IP, and adding a route in the private subnet's route table (0.0.0.0/0 -> NAT Gateway ID). Distractors might include using an internet gateway in the private subnet, attaching an Elastic IP directly to the private instance, or using a VPC Peering connection.

The second pattern is the comparison question. The exam may ask you to differentiate between a NAT Gateway, a NAT instance, and an Internet Gateway. You need to know that an Internet Gateway is used for both inbound and outbound internet access for instances with public IPs, while a NAT Gateway is only for outbound access for instances without public IPs. A NAT instance is a manually configured EC2 instance, while a NAT Gateway is a managed service. You should also know that a NAT Gateway supports up to 45 Gbps of bandwidth and automatically scales, whereas a NAT instance has bandwidth limits based on the instance type.

The third pattern is the high availability design question. You might be asked: "You have an application in a private subnet that requires internet access. How do you ensure that the outbound connectivity remains available even if one Availability Zone fails?" The answer is to deploy a NAT Gateway in each Availability Zone and configure the route table for the private subnet in each AZ to point to the NAT Gateway in that same AZ. A common distractor is to suggest deploying a single NAT Gateway with an Auto Scaling group, but that still has a single point of failure if the AZ itself fails.

The fourth pattern is the troubleshooting question. You are told that an EC2 instance in a private subnet cannot access the internet even though a NAT Gateway is deployed. You must identify the problem. Common issues include: the NAT Gateway is in the same private subnet instead of a public subnet, the NAT Gateway's subnet does not have a route to an internet gateway (0.0.0.0/0 -> IGW), the security group of the private instance is blocking outbound traffic (e.g., only allowing HTTPS on port 443 outbound when the NAT Gateway tries to use other ports), or the Network ACL is blocking ephemeral ports used for return traffic.

The fifth pattern is the cost optimization question. The exam may ask you to choose between a NAT Gateway and a NAT instance for a development environment with low traffic. The correct answer often points to a NAT instance to save costs, but you must also consider the operational overhead. For a production environment, the NAT Gateway is recommended despite the higher cost.

Finally, there are questions about limitations. For example, a NAT Gateway cannot be used to establish an inbound connection to a private instance. If you need inbound access to a private instance, you must use a bastion host or a VPN connection. Also, a NAT Gateway does not support VPC peering: if you have multiple VPCs peered, you cannot use the NAT Gateway in one VPC to provide internet access to instances in another VPC. Each VPC needs its own NAT Gateway or you can use a Transit Gateway with a centralized egress VPC.

Practise NAT Gateway Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a cloud architect at a small startup that runs a web application on AWS. The application consists of a web server in a public subnet that users can access, and a database server in a private subnet that stores user data. The database server needs to download updates and patches from the internet on a regular basis. However, you cannot give the database server a public IP address because that would expose it to potential attacks from the internet.

To solve this, you create a NAT Gateway in the public subnet where the web server resides. You assign it an Elastic IP address (say, 54.123.45.67). Then you create a private route table for the database server's subnet, and you add a default route (0.0.0.0/0) that points to the NAT Gateway ID. Now, when the database server tries to download a patch from a repository at 8.8.8.8, it sends the packet to its default gateway, which is the NAT Gateway. The NAT Gateway receives the packet, changes the source IP from the database's private IP (10.0.2.50) to its own public IP (54.123.45.67), records the mapping in its state table, and sends the packet to the repository. The repository sees the request coming from 54.123.45.67 and sends the response back to that IP. The NAT Gateway receives the response, looks up the state table, finds that the response belongs to the session initiated by 10.0.2.50, translates the destination IP back to 10.0.2.50, and forwards the packet into the private subnet. The database server receives the patch successfully, and the internet never knows the database's private IP.

This setup allows the database server to stay secure in the private subnet while still getting the updates it needs. It is a classic example of secure architecture that is tested on many cloud certification exams. The key takeaway is that the NAT Gateway acts as a bridge, enabling outbound connectivity without exposing the private resources to inbound traffic.

Common Mistakes

Placing the NAT Gateway in the private subnet instead of the public subnet.

A NAT Gateway needs to have a route to an internet gateway to reach the internet. Private subnets do not have a direct route to an internet gateway. Therefore, if the NAT Gateway is in a private subnet, it cannot send traffic to the internet, and the whole setup fails. The traffic from private instances goes to the NAT Gateway, but the NAT Gateway itself cannot forward it out.

Always create the NAT Gateway in a public subnet that has a route table with a default route pointing to an internet gateway.

Associating a security group with the NAT Gateway.

NAT Gateways do not support security groups. They only support Network ACLs at the subnet level. Attempting to assign a security group to a NAT Gateway will result in an error. This is a common trick in exam questions where a distractor asks you to configure a security group for the NAT Gateway.

Control traffic to and from the NAT Gateway using the Network ACL of the public subnet where the NAT Gateway resides. For the private instances, use their own security groups to control outbound traffic.

Using a single NAT Gateway for all private subnets across multiple Availability Zones without considering cross-AZ data transfer.

While a single NAT Gateway can serve multiple private subnets in different Availability Zones, traffic from an instance in AZ-A must travel to the NAT Gateway in AZ-B, which incurs cross-AZ data transfer charges and adds latency. Also, if the AZ where the NAT Gateway resides fails, all private instances lose internet access.

For high availability and cost efficiency, deploy one NAT Gateway in each Availability Zone and configure the route tables for private subnets in each AZ to point to the NAT Gateway in the same AZ.

Assuming a NAT Gateway can be used for inbound internet access to private instances.

A NAT Gateway is designed only for outbound-initiated traffic. It does not accept inbound connections from the internet. If you try to send a packet from the internet to the NAT Gateway's public IP with a destination port that is not part of an existing outbound session, the packet will be dropped.

For inbound internet access to private instances, use a bastion host (jump server) or a VPN connection. For inbound traffic to public-facing services, use an internet gateway and place the instances in a public subnet with proper security groups.

Thinking that the NAT Gateway replaces the need for a route to an internet gateway in the public subnet.

The NAT Gateway itself must reside in a public subnet that has a route to an internet gateway. The NAT Gateway uses that internet gateway to send and receive traffic. If the public subnet's route table does not have a default route pointing to the internet gateway, the NAT Gateway cannot communicate with the internet.

Ensure the public subnet's route table has a route (0.0.0.0/0 -> IGW). The private subnet's route table points to the NAT Gateway. The NAT Gateway uses the public subnet's internet gateway to reach the internet.

Using a NAT Gateway to connect to a VPC from an on-premises network via VPN or Direct Connect.

A NAT Gateway is for internet-bound traffic only. For private connectivity between an on-premises network and a VPC, you should use a Virtual Private Gateway (VPG) with VPN or Direct Connect. The NAT Gateway does not route traffic to on-premises networks.

Use a Virtual Private Gateway or AWS Transit Gateway for hybrid connectivity. The NAT Gateway is only for outbound internet traffic from private instances.

Exam Trap — Don't Get Fooled

{"trap":"The exam question says: \"You have an EC2 instance in a private subnet that needs to access the internet. You create a NAT Gateway in a public subnet and update the private subnet's route table to point 0.0.

0.0/0 to the NAT Gateway. However, the instance still cannot access the internet. What is the most likely cause?\" The trap answer is that the security group of the EC2 instance is blocking outbound traffic.

Learners often forget that security groups are stateful and outbound rules matter.","why_learners_choose_it":"Many students assume that because security groups are stateful and automatically allow return traffic, outbound rules are less critical. They also tend to focus on the inbound rules first.

In this scenario, they might check the Network ACL before the security group. The trap is that the instance's security group likely has an outbound rule that explicitly denies traffic (e.g.

, only allows port 80 outbound, but patching uses port 443, or the default outbound deny is in place).","how_to_avoid_it":"Always remember that security groups control both inbound and outbound traffic. For an instance in a private subnet to access the internet, its security group must allow outbound traffic to the destination (e.

g., HTTPS to 0.0.0.0/0). Also, remember that security group rules are evaluated as a whole; if there is no explicit allow rule for outbound traffic, it is implicitly denied. In the AWS exam, the most likely cause is often a security group rule or a Network ACL rule, not a route table issue, if the route table has been verified correct.

Systematically check: route table, then Network ACL, then security group, then operating system firewall."

Commonly Confused With

NAT GatewayvsInternet Gateway

An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in a VPC and the internet. However, it is used for both inbound and outbound traffic and requires instances to have public IP addresses (either Elastic IP or a public IP assigned to the ENI). A NAT Gateway, in contrast, is only for outbound traffic and does not expose the private instances to the internet. The Internet Gateway is attached to the VPC and is the target for the default route in public subnets, while the NAT Gateway is the target for the default route in private subnets.

Think of the Internet Gateway as the main front door of a building that anyone can use to enter or exit. The NAT Gateway is a one-way delivery chute that only allows items to be sent out, and return items can come back, but no one can enter through the chute.

NAT GatewayvsNAT Instance

A NAT instance is a regular EC2 instance that you manually configure to perform network address translation. You choose the instance type, patch it, and set up failover yourself. A NAT Gateway is a fully managed service with automatic scaling, higher availability, and less operational overhead. NAT instances can be cheaper for low-traffic environments, but they require more management. NAT Gateways also support up to 45 Gbps of bandwidth, while a NAT instance's limit is based on the EC2 instance type.

A NAT instance is like hiring a security guard to manually check and pass messages. A NAT Gateway is like an automated, self-repairing mail sorter that can handle millions of letters per second without any human intervention.

NAT GatewayvsVPC Peering

VPC Peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. It is not a way to provide internet access. In fact, a NAT Gateway cannot be used across a VPC peering connection. If you have two VPCs peered, a private instance in VPC A cannot use the NAT Gateway in VPC B to access the internet. VPC Peering does not support transitive routing; each VPC must have its own internet gateway or NAT Gateway for internet access.

VPC Peering is like a private tunnel between two buildings on the same campus. If one building has a NAT Gateway to the outside, the other building cannot use that tunnel to reach the outside world through the first building. Each building needs its own connection to the outside.

NAT GatewayvsPrivate NAT Gateway

A Private NAT Gateway is a newer AWS offering that uses private IP addresses instead of public IP addresses. It is used for outbound-only traffic to other VPCs or on-premises networks through a Transit Gateway or VPN, without going through the internet. The standard NAT Gateway always has an Elastic IP address and is used for internet-bound traffic. The Private NAT Gateway is for private network-to-network communication.

If the standard NAT Gateway is a mailroom that sends letters out to the public postal system, the Private NAT Gateway is an internal courier service that delivers packages between different departments within the same company, never using the public postal service.

NAT GatewayvsAWS Site-to-Site VPN

AWS Site-to-Site VPN creates a secure tunnel between an on-premises network and a VPC. It is used for private, encrypted communication over the internet, but it is not a replacement for a NAT Gateway. A Site-to-Site VPN is for hybrid connectivity, while a NAT Gateway provides outbound internet access to resources in a private subnet. They are often used together: a private instance might access on-premises resources via the VPN and access the internet via the NAT Gateway.

The Site-to-Site VPN is a secure, dedicated phone line between two offices. The NAT Gateway is the building's outgoing mail service. You need both for different purposes.

Step-by-Step Breakdown

1

Plan your VPC architecture

Before creating a NAT Gateway, you need a VPC with at least one public subnet (where the NAT Gateway will reside) and one or more private subnets (where your resources will be). Determine how many Availability Zones you are using. For high availability, plan to deploy one NAT Gateway per Availability Zone. Also, decide on the CIDR blocks for your subnets, ensuring they do not overlap.

2

Create the public subnet

Within your VPC, create a public subnet. This subnet must have a route table that includes a default route (0.0.0.0/0) pointing to an Internet Gateway. The public subnet will host the NAT Gateway and any other resources that need direct internet access, such as bastion hosts or load balancers.

3

Create an Internet Gateway

Create an Internet Gateway and attach it to your VPC. Without an Internet Gateway, the public subnet cannot communicate with the internet. The Internet Gateway is the target for the default route in the public subnet's route table. This is a critical step because the NAT Gateway itself needs to reach the internet through this Internet Gateway.

4

Create the private subnets

Create one or more private subnets in each Availability Zone. These subnets will contain your EC2 instances, RDS databases, or other services that should not have direct internet access. Their route tables will not have a direct route to the Internet Gateway; instead, they will route internet-bound traffic to the NAT Gateway.

5

Create the NAT Gateway

Navigate to the VPC console and choose NAT Gateways. Click Create NAT Gateway. Provide a name, select the public subnet you created earlier, and allocate an Elastic IP address to associate with it. The NAT Gateway must be in a public subnet to function. Under Connectivity Type, choose Public. Then click Create NAT Gateway. It will take a few minutes to become available.

6

Update the private subnet route table

After the NAT Gateway is created, you need to configure the route tables for each private subnet. Add a route with destination 0.0.0.0/0 and target the NAT Gateway ID (e.g., nat-1234567890abcdef). This tells the private instances that any traffic destined for the internet should be sent to the NAT Gateway. If you have multiple private subnets in different Availability Zones, use separate route tables for each AZ to point to the NAT Gateway in the same AZ.

7

Verify connectivity

Launch a test EC2 instance in a private subnet. Ensure its security group allows outbound traffic (e.g., HTTPS on port 443). From the instance, try to access an internet resource, such as downloading a file from a public repository. If it works, the NAT Gateway is functioning correctly. If it fails, check the following in order: the NAT Gateway is in a public subnet with a route to the Internet Gateway, the private subnet's route table points to the NAT Gateway, the security group and Network ACL allow outbound traffic, and the operating system firewall is not blocking the connection.

8

Monitor and scale

Once operational, monitor the NAT Gateway using CloudWatch metrics such as PacketsDropCount, ActiveConnectionCount, and BytesOutToDestination. Set up alarms for high drop counts, which could indicate port allocation exhaustion (if you are using a lot of connections, consider increasing the number of NAT Gateways or scaling horizontally). For production workloads, it is also prudent to have a script or process to replace the NAT Gateway if needed, though the managed service automates most recovery.

Practical Mini-Lesson

As a cloud professional, you must understand not just how to configure a NAT Gateway, but also how to troubleshoot and optimize it in real-world scenarios. One of the most common issues is port exhaustion. Every connection through a NAT Gateway consumes a unique source port from the NAT Gateway's public IP address. The NAT Gateway provides 65,535 ports per IP address. If you have a high-traffic application with thousands of concurrent outbound connections, you may exhaust the available ports. Symptoms include intermittent connectivity failures, increased latency, and CloudWatch metrics showing ErrorPortAllocation spikes. To resolve this, you can associate additional Elastic IP addresses with the NAT Gateway (up to 8 per NAT Gateway) to expand the port space, or deploy multiple NAT Gateways and distribute traffic across them using different route tables.

Another practical consideration is the placement of Network ACLs. The NAT Gateway is in a public subnet, and that subnet has a Network ACL that can block traffic. By default, AWS creates a Network ACL that allows all inbound and outbound traffic. If you tighten it, you must ensure that you allow inbound ephemeral ports (1024-65535) for return traffic from the internet, and outbound traffic on ports 80 and 443 (and any others you need). A common mistake is to block outbound traffic on the NAT Gateway's subnet Network ACL, thinking it protects the NAT Gateway, but this actually breaks all outbound connectivity for the entire private subnet.

Also, consider the impact of using a single NAT Gateway for all Availability Zones. While it works, it creates a single point of failure and incurs cross-AZ data transfer costs. For production, deploy one per AZ. Be aware of the costs involved. The hourly charge is modest, but data processing charges can accumulate if you are transferring large volumes of data. For example, if you are using the NAT Gateway to send large log files to an external SIEM, the monthly data transfer costs might be significant. In such cases, you might consider using AWS PrivateLink to send logs to the SIEM service if it is available, or use VPC endpoints for AWS services to avoid NAT Gateway costs entirely.

Finally, always remember that the NAT Gateway is not a security appliance in the sense of a firewall. It does not inspect traffic or block malicious packets. It only performs address translation. For deep packet inspection, you would need a third-party firewall appliance or AWS Network Firewall. The NAT Gateway works in conjunction with security groups and Network ACLs to provide defense in depth. When designing your architecture, think about how you can minimize the amount of traffic that goes through the NAT Gateway by using VPC endpoints for services like S3 and DynamoDB, which are free and keep traffic within the AWS network.

a NAT Gateway is a simple but powerful service that requires careful planning regarding high availability, port capacity, cost, and proper configuration of supporting components like route tables and Network ACLs. Mastery of these details is what separates a basic understanding from a professional-level skill.

How NAT Gateway Enables Outbound Internet Access

A NAT Gateway is a managed AWS service that enables instances in a private subnet to initiate outbound traffic to the internet or other AWS services, while preventing the internet from initiating inbound connections to those instances. This is a core requirement for security-sensitive workloads, as it allows resources like databases and application servers to download patches, access APIs, or send logs without exposing them to direct external attacks.

NAT Gateway replaces the earlier NAT instance, which was a manually managed EC2 instance running NAT software. The managed service is highly available within an Availability Zone, scales automatically up to 45 Gbps, and requires no patching or maintenance from the administrator. It is designed to be simple to deploy: you associate it with an Elastic IP address and place it in a public subnet with a route to the internet gateway. Then you add a route in the private subnet's route table pointing all 0.0.0.0/0 traffic to the NAT Gateway.

For the AWS Cloud Practitioner exam, the key takeaway is that NAT Gateway is a managed service used for outbound-only internet access from private subnets. For the Solutions Architect Associate exam, you must understand its high availability limitations across AZs, its cost structure (hourly charge plus data processing fees), and how it interacts with VPC endpoints and security groups. NAT Gateway does not support IPv6 traffic; for IPv6, you must use an egress-only internet gateway. Also, NAT Gateway cannot be used to access a VPN or Direct Connect site on-premises; that requires a virtual private gateway.

Security groups attached to private instances control what outbound traffic is allowed, but the NAT Gateway itself works at the network address translation layer. It translates the source IP of the instance (private IP) to the Elastic IP of the NAT Gateway, so return traffic knows where to go. This is connection tracking: the NAT Gateway maintains state for each active flow, so responses are correctly forwarded back to the original instance.

NAT Gateway is a critical component for secure cloud architectures. It allows private resources to stay isolated while still reaching the internet when needed. Understanding its use cases, limitations, and cost implications is essential for both the Cloud Practitioner and Solutions Architect exams.

NAT Gateway Cost Optimization Strategies

NAT Gateway pricing is a common source of surprise in AWS bills. The service has two cost components: an hourly charge for each NAT Gateway in use (around $0.045 per hour depending on region) and a per-GB data processing fee for all traffic that passes through it. Both charges apply regardless of whether the gateway is idle or heavily used. This means that having multiple NAT Gateways for high availability across Availability Zones directly multiplies the cost.

For the AWS Solutions Architect Associate exam, you should know that a common best practice is to place one NAT Gateway per Availability Zone for high availability, but this triples the cost if you have three AZs. A cost-optimized alternative is to use a single NAT Gateway in one AZ and route all private subnets to it, but this creates a single point of failure and cross-AZ data transfer charges. The exam often tests this trade-off: you must choose between resilience and cost based on the scenario.

Another cost-saving technique is to use VPC endpoints for AWS services like S3, DynamoDB, or Systems Manager. When an instance in a private subnet accesses an AWS service via a VPC endpoint, the traffic stays within the AWS network and does not go through the NAT Gateway. This eliminates the data processing fee. For example, if an EC2 instance downloads a 10 GB file from S3, going through NAT Gateway would incur that per-GB processing fee, whereas using a Gateway VPC endpoint for S3 would have no such fee.

consider consolidating workloads that share the same outbound internet needs into fewer private subnets to reduce the number of NAT Gateways. For the Cloud Practitioner exam, you should remember that NAT Gateway is not free, and you should design with cost in mind. For the AWS SysOps Administrator exam, use Cost Explorer and AWS Budgets to monitor NAT Gateway spends, and consider Reserved Capacity pricing if usage is predictable.

Finally, if your workload only occasionally needs internet access, evaluate using a NAT instance (though it requires more management) or using a proxy server that can be turned off. Always check the latest AWS pricing page as costs vary by region. Incorporate these strategies into your cost management plans to avoid bill shock.

NAT Gateway High Availability and Resilience Patterns

NAT Gateway is deployed per Availability Zone (AZ) and is inherently resilient within that AZ, meaning it can handle a single instance failure inside the AZ. However, if the entire AZ goes down, the NAT Gateway in that AZ becomes unavailable. This is a critical distinction for exam scenarios: NAT Gateway is AZ-resilient but not region-resilient. To achieve high availability across a region, you must deploy a NAT Gateway in each AZ where you have private subnets that need internet access.

For the Solutions Architect Associate exam, a common architectural pattern is the "NAT Gateway in each AZ" design. You create a public subnet in each AZ, place a NAT Gateway there, and then in each private subnet's route table, you add a route to the NAT Gateway that resides in the same AZ. This way, if one AZ fails, only the private subnets in that AZ lose internet access, while the others continue unaffected. This pattern eliminates cross-AZ data transfer costs and increases resilience.

Another pattern is the single NAT Gateway design, where you place one NAT Gateway in a single AZ and route all private subnets (across all AZs) to it. This is cheaper but creates a single point of failure and incurs cross-AZ data transfer charges for traffic originating from instances in other AZs. The exam often presents a scenario with a cost constraint and asks you to recommend a solution, you must weigh the impact of an AZ outage.

For the AWS SysOps Administrator exam, you should know how to automate failover of NAT Gateway using AWS Lambda or by using Auto Scaling groups with custom routing scripts. Also, consider using NAT Gateway's automatic failover within an AZ; if the underlying hardware fails, AWS replaces it transparently. However, if you need resilience across AZs, you must plan multiple gateways.

Remember that NAT Gateway does not support Active-Passive configuration out of the box. You must implement routing tables manually. For the CCNA or Network+ exams, the concept is similar to network address translation redundancy, but AWS abstracts the hardware details. Understand that NAT Gateway is managed, meaning you don't configure failover IPs or routing protocols, AWS handles that within the AZ. Multi-AZ resilience is your responsibility.

always consider the number of AZs, cost, and uptime requirements when designing NAT Gateway deployment. The exam will test your ability to recognize when a single NAT Gateway is sufficient versus when you need one per AZ.

Comparing NAT Gateway, NAT Instance, and Internet Gateway

Understanding the differences between NAT Gateway, NAT Instance, and Internet Gateway is essential for AWS exams. An Internet Gateway (IGW) is attached to a VPC and allows both inbound and outbound internet traffic for instances in public subnets. It is horizontally scaled, highly available, and comes at no additional cost (only data transfer charges apply). NAT Gateway, by contrast, is used specifically for outbound traffic from private subnets and is a managed service with hourly and data processing costs.

A NAT Instance is an EC2 instance that you configure manually with NAT software (like iptables). It is an antecedent to the managed NAT Gateway. For the Solutions Architect Associate exam, you should know the key differences: NAT Gateway is managed (no patching), scales up to 45 Gbps, and automatically assigns an Elastic IP. NAT Instance is less scalable (limited by instance type), requires manual failover, and you must manage security groups and patches. NAT Instance can be used as a bastion host (SSH) in some configurations, while NAT Gateway cannot.

For the Cloud Practitioner exam, the focus is on when to use which: NAT Gateway for simple, secure, outbound-only access; Internet Gateway for inbound and outbound access from public subnets; NAT Instance for legacy or cost-sensitive environments where you need more control (but with higher management overhead). The exam might also ask about IPv6: NAT Gateway does not support IPv6, so you use an egress-only internet gateway for outbound IPv6 traffic from private subnets.

For the Security+ and Network+ exams, the concepts of source NAT (SNAT) and port address translation are relevant. NAT Gateway performs SNAT by translating private IPs to its Elastic IP. It also provides port address translation so multiple instances can share the same Elastic IP. The NAT Gateway maintains a connection table to map responses back to the correct instance. This is similar to how a home router works, but at cloud scale.

In the Google ACE and Azure AZ-104 exams, you might encounter similar services: Cloud NAT in GCP and Azure NAT Gateway. The core principles are the same, but implementation details differ. Knowing AWS's offering helps you compare certification knowledge.

As a best practice, always prefer NAT Gateway over NAT Instance unless you have specific requirements like cost savings for low throughput or need for a bastion host. The exam will test your ability to identify the right service based on the scenario's requirements for manageability, scalability, and cost.

Troubleshooting Clues

NAT Gateway in 'pending' state for too long

Symptom: The NAT Gateway remains in 'pending' state for more than 5 minutes, and private instances cannot reach the internet.

A NAT Gateway typically transitions from 'pending' to 'available' within a few minutes. If stuck, it often indicates a misconfigured Elastic IP (e.g., already associated with another resource) or a subnet issue (e.g., subnet not public or has no route to an internet gateway). The gateway cannot be provisioned without a valid public subnet with route 0.0.0.0/0 -> IGW.

Exam clue: This scenario appears in troubleshooting questions. The answer is to verify that the subnet has an internet gateway route and that the Elastic IP is not in use elsewhere.

No internet connectivity for private instances

Symptom: Instances in private subnets cannot ping external IPs or download packages from the internet, even though NAT Gateway is available.

The most common cause is a missing route in the private subnet's route table. Even if NAT Gateway exists, the private subnet must have a route with destination 0.0.0.0/0 pointing to the NAT Gateway ID. Security groups and network ACLs must allow outbound traffic (e.g., HTTP/HTTPS). NAT Gateway itself does not require security groups, but the instance's security group controls egress.

Exam clue: A classic exam scenario: 'I created a NAT Gateway but my instances still can't reach the internet.' The fix is to add the route or check the instance's security group outbound rules.

Cross-AZ traffic not working after AZ failure

Symptom: After an AZ outage, instances in a different AZ than the single NAT Gateway lose internet access.

If you deployed a single NAT Gateway in AZ-A, and AZ-B fails, the NAT Gateway is still running (in AZ-A), but the route table in AZ-B's private subnet still points to the NAT Gateway in AZ-A. The issue is that the instances in the failing AZ may be unreachable due to the AZ failure itself, not the NAT Gateway. However, if only the NAT Gateway's AZ fails, the single NAT Gateway becomes unavailable, causing all private instances to lose internet.

Exam clue: The exam tests that a single NAT Gateway is a single point of failure. The recommended solution is to deploy one NAT Gateway per AZ for high availability.

Elastic IP not releasing after NAT Gateway deletion

Symptom: After deleting a NAT Gateway, the associated Elastic IP continues to incur charges because it is not released.

Deleting a NAT Gateway does not automatically release the Elastic IP. You must manually release it via the AWS Management Console or CLI to avoid ongoing costs. The Elastic IP remains allocated to your account until you explicitly release it.

Exam clue: This is a common cost optimization trap in exams. The question might describe high costs after deleting a NAT Gateway, and the answer is to release the unused Elastic IP.

NAT Gateway not scaling for high throughput

Symptom: Throughput drops or connections are dropped when traffic exceeds 45 Gbps, but the NAT Gateway is the only bottleneck.

A single NAT Gateway can handle up to 45 Gbps. If you need more, you must distribute traffic across multiple NAT Gateways by using multiple AZs or multiple gateways per AZ. However, the gateway automatically scales within its limit, so this symptom usually indicates that the aggregate traffic exceeds that threshold.

Exam clue: The exam may ask what to do when a NAT Gateway is a bottleneck. The answer is to add another NAT Gateway (or use a gateway in each AZ) and distribute subnets to use different gateways.

NAT Gateway connection timeout for long-lived sessions

Symptom: Applications that maintain long idle connections (e.g., databases, SSH) experience intermittent timeouts after 5-10 minutes of inactivity.

NAT Gateway has a connection tracking table with a timeout for idle sessions (typically 5 minutes for TCP, 30 seconds for UDP, or 5 seconds for other protocols). If a connection is idle for longer than the timeout, the gateway clears the state, causing the next packet to be dropped. The application must either send keepalive packets or use a different strategy.

Exam clue: This is tested in advanced scenarios. The fix is to implement TCP keepalives at the application or OS level. The exam will not ask for exact timeout values but expects you to understand the concept of stateful NAT and idle timeouts.

Cannot use NAT Gateway for IPv6 traffic

Symptom: Instances with IPv6 addresses in a private subnet cannot reach the internet through a NAT Gateway.

NAT Gateway only supports IPv4 traffic. For outbound IPv6 traffic from private subnets, you must use an egress-only internet gateway. The egress-only IGW allows outbound communication but prevents inbound IPv6 connections.

Exam clue: This is a frequent exam question: 'What do you use for IPv6 outbound access from private subnets?' The answer is egress-only internet gateway, not NAT Gateway.

NAT Gateway health check fails in CloudWatch

Symptom: CloudWatch metric 'HealthyGatewayCount' is less than expected in multi-AZ setup, or the gateway enters an error state.

The NAT Gateway performs health checks automatically. If it reports unhealthy, it may be due to a transient AWS infrastructure issue that resolves automatically, or it could indicate a more persistent problem. However, because NAT Gateway is managed, the only action you can take is to delete and recreate it. There is no manual health check or repair you can perform.

Exam clue: The exam might present a scenario where a NAT Gateway fails and ask what to do. The correct answer is to create a new NAT Gateway in a different subnet or AZ, as you cannot repair an unhealthy managed gateway.

Memory Tip

Remember that NAT stands for Network Address Translation and that a NAT Gateway is for Outbound Only from Private subnets. Think: "NAT Out, IGW In, Private NAT Out without internet."

Learn This Topic Fully

This glossary page explains what NAT Gateway means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.A company has a VPC with two private subnets in different Availability Zones. They want to allow EC2 instances in these private subnets to download software updates from the internet. What is the MOST cost-effective and highly available solution?

2.What is the default maximum throughput of a single NAT Gateway?

3.An administrator notices that a private EC2 instance cannot download packages from the internet even though the NAT Gateway is in the 'available' state. The instance's security group allows all outbound traffic. What is the most likely cause?

4.Which of the following statements about NAT Gateway and IPv6 is true?

5.A company deployed a NAT Gateway in a public subnet. After some time, the NAT Gateway was deleted to reduce costs, but the monthly bill remains high. What is the most likely reason?

6.A company uses a single NAT Gateway in AZ-A for all private subnets in three AZs. An AZ failure occurs in AZ-B. What happens to the instances in AZ-A and AZ-C?