What Is NAT instance in Networking?
On This Page
What do you want to do?
Quick Definition
A NAT instance is a special virtual server that acts like a bridge between a private network and the internet. It lets computers in a private subnet connect to the internet to download updates or send data, while keeping them hidden from outside access. You set it up by configuring the instance to forward traffic and by routing the private subnet's traffic through it.
Common Commands & Configuration
aws ec2 modify-instance-attribute --instance-id i-xxxxxxxxxx --source-dest-check --value falseDisables source/destination check on an EC2 instance so it can forward traffic as a NAT instance.
Appears in AWS-SAA questions where NAT instance fails to work; the likely cause is that Source/Destination Check was not disabled.
sysctl -w net.ipv4.ip_forward=1 && echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.confEnables IP forwarding in the Linux kernel, allowing the instance to route packets between subnets.
Tested in CCNA and Network+ scenarios: without this, a Linux router/NAT will drop forwarded packets.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEAdds an iptables NAT rule to masquerade outbound traffic with the instance’s public IP.
This specific rule is tested in AWS-SAA and LPI; missing it means private instances won't have internet access.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPTAllows forwarding of incoming traffic from private interface (eth1) to public interface (eth0).
Used in CCNA VLAN or iptables firewall chain questions; forgetting this causes forward drop.
aws ec2 associate-route-table --route-table-id rtb-xxxxx --subnet-id subnet-yyyyyAssociates a custom route table with a private subnet, which should have a 0.0.0.0/0 route pointing to the NAT instance.
Common AWS-SAA question: route table missing or wrong association causes private instances to be unreachable for internet.
curl -s http://checkip.amazonaws.comChecks the public IP address of an instance. Run from a private test instance to verify it exits via the NAT instance’s Elastic IP.
Appears in troubleshooting scenarios in AWS-SAA and Network+ to confirm outbound NAT works.
aws ec2 describe-instances --instance-ids i-xxxxxxxxxx --query 'Reservations[0].Instances[0].NetworkInterfaces[0].SourceDestCheck'Retrieves the state of the Source/Destination Check attribute on an instance.
Used in exam questions where you must verify if NAT operation is disabled; if true (checked), NAT fails.
iptables -t filter -A FORWARD -d 10.0.0.0/8 -j DROPDrops forwarding traffic destined to non-Internet private IPs, preventing RFC1918 inter-subnet routing (if unwanted).
Tested in network segmentation questions; ensures no accidental cross-subnet traffic through NAT instance.
NAT instance appears directly in 6exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →
Must Know for Exams
NAT instances appear frequently in several major IT certification exams, including AWS Certified Solutions Architect Associate (SAA), CompTIA A+, Security+, Microsoft Azure Administrator (AZ-104), Cisco CCNA, CompTIA Network+, and Google Cloud Associate Cloud Engineer (ACE). Each exam approaches the concept with a slightly different emphasis, but the underlying mechanics are consistent.
In the AWS SAA exam, NAT instances are a core networking topic under the VPC section. You need to know how to configure them, the difference between a NAT instance and a NAT Gateway, and the limitations of each. Typical questions ask you to design a high-availability architecture for outbound internet access, and you must decide whether to use a NAT instance or a NAT Gateway. The exam also tests your knowledge of the source/destination check, security group rules, and route table entries. You might be given a scenario where private instances need internet access, and you have to select the correct combination of resources.
For CompTIA Network+ and Security+, NAT instances are generally part of the broader topic of Network Address Translation. The exam expects you to understand NAT types (static, dynamic, PAT) and how they apply to cloud or virtualized environments. Questions focus on the purpose of NAT and troubleshooting connectivity issues. The Security+ exam may also tie in how NAT enhances security by hiding internal IP addresses.
In the CCNA exam, NAT is a major topic. While CCNA traditionally focuses on on-premises routers, cloud-based NAT instances appear in modern hybrid networking questions. You need to compare NAT on a physical router with NAT on a cloud instance. Cisco exams often ask about the difference between inside local, inside global, outside local, and outside global addresses, these terminologies map directly to how a NAT instance translates addresses.
For Azure AZ-104 and Google ACE, the concept is they have managed services (Azure NAT Gateway, Cloud NAT), but the exam may ask about virtual machine-based NAT solutions for scenarios where managed services are not suitable, such as when you need a custom firewall or additional logging.
Across all exams, the most common question type is scenario-based: “Your company has a VPC with a private subnet. You need instances in the private subnet to download security updates. What should you do?” The answer may be a NAT instance or a NAT Gateway. The exam often includes a distractor that suggests a bastion host or an internet gateway directly attached to the private subnet. Understanding why those options are wrong is critical.
Simple Meaning
Think of a NAT instance as a security guard at the entrance of a gated community. The residents (your private servers) live inside the community and cannot go out directly to the outside world. When a resident needs to run an errand or receive a package (like downloading an update or fetching data), they go to the security guard. The guard leaves the community, does the task on behalf of the resident, and brings back the result. To anyone outside, it looks like the guard is doing everything, so the resident’s identity and exact location stay hidden.
In cloud networking, a NAT instance is a dedicated virtual machine that sits between the private subnet and the public internet. It has one network interface in a public subnet with a public IP address, and another connection to the private subnet. When a private instance wants to reach the internet, it sends its traffic to the NAT instance. The NAT instance changes the source IP address of the packets from the private instance's internal IP to its own public IP. It remembers which internal instance sent the request so that when the response comes back, it can forward it to the correct private instance.
This setup is crucial for security because private instances never expose their own IP addresses to the internet. They remain safe from direct attacks while still being able to access external resources. It is like having a phone operator who makes calls for you, you never give your personal number, but you still get the information you need. The NAT instance itself must be carefully configured with proper security groups, routing tables, and source/destination check settings to function correctly. If any of these are misconfigured, the private instances may lose internet connectivity entirely.
Full Technical Definition
A NAT instance is a cloud compute resource, typically a virtual machine (VM) or instance in a public cloud platform like Amazon Web Services (AWS), that performs Network Address Translation (NAT) for outbound traffic originating from instances in a private subnet. It enables private resources to communicate with the internet or other external networks while preventing unsolicited inbound connections from reaching those private instances.
At the protocol level, a NAT instance operates by modifying the IP header of packets. When a private instance sends a packet destined for an external IP, the packet arrives at the NAT instance. The NAT instance rewrites the source IP address from the private IP of the originating instance to its own public IP. It also changes the source port number to a unique port that it uses to track the connection. This mapping is stored in an internal state table. When a response packet arrives from the external destination, the NAT instance looks up the destination port in its state table, finds the corresponding private IP and port, rewrites the destination IP and port back to the original private values, and forwards the packet to the private instance.
This process is commonly known as source NAT (SNAT) or outbound NAT, as opposed to destination NAT (DNAT) used for inbound port forwarding. The NAT instance itself must be configured to disable the source/destination check at the cloud provider level, because it needs to accept traffic that is not addressed to itself. In AWS, for example, the EC2 instance must have this check disabled on its elastic network interface. Without this setting, the instance would drop any packet whose destination IP is not its own.
A NAT instance runs on a standard operating system, typically Linux, with IP forwarding enabled. The system administrator must configure iptables or a similar firewall rule to perform masquerading on the outbound interface. A typical rule uses the POSTROUTING chain of the NAT table: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. This tells the kernel to automatically translate the source address of outgoing packets on that interface.
Routing is another essential component. The private subnet’s route table must include a default route (0.0.0.0/0) pointing to the NAT instance’s private IP address or its network interface. This ensures that all outbound internet traffic from private instances goes to the NAT instance first. The NAT instance itself must have a default route pointing to an internet gateway, which connects to the public internet.
Security groups attached to the NAT instance must allow inbound traffic from the private subnet on the necessary ports (e.g., HTTP/HTTPS if private instances need web access) and outbound traffic to the internet. Unlike a NAT Gateway, which is a managed service, a NAT instance requires manual configuration of security groups, routing, and operating system settings. It is also a single point of failure unless high-availability setups are implemented, such as using an auto scaling group or placing the NAT instance in a pair across availability zones.
In real-world IT implementation, NAT instances are often used in hybrid cloud environments, lab testing, or when fine-grained control over NAT behavior is needed. However, they have largely been replaced by managed NAT Gateways in production because NAT Gateways are highly available, automatically scale, and require less overhead. Still, understanding NAT instances is critical for cloud certification exams because they test your knowledge of routing, security groups, iptables, and the underlying mechanics of NAT rather than just clicking a managed service checkbox.
Real-Life Example
Imagine you live in a large apartment building. Each apartment has a unique number, like 101 or 204. These numbers are like private IP addresses, they work inside the building but not outside. The building’s management office has a single street address, say 123 Main Street. When you want to receive a package from a delivery driver, the driver cannot come to your individual apartment door because the building has a secure entrance. Instead, you call the front desk, and the front desk tells you, “Send it to 123 Main Street, and we will bring it up to you.”
Now, when the package arrives, it is addressed to 123 Main Street, not to your apartment number. The front desk staff recognizes your name on the package, writes down your apartment number, and delivers it to you. To the delivery driver, everything is handled by the front desk, not by the individual apartments. The apartments remain hidden from the outside. The front desk is your NAT instance, it translates the outside address (the street address) to an inside address (your apartment number).
Let’s take it a step further. Suppose you need to send a letter to a friend who lives outside the building. You cannot mail it from your apartment because the postal service requires a full street address. So you give the letter to the front desk. The front desk puts its own return address on the envelope and mails it. When your friend replies, they send the reply to the front desk. The front desk then reads the name, looks up which apartment you are in, and hand-delivers it to you. Your apartment number never appears on the envelope.
In cloud networking, the apartment building is your Virtual Private Cloud (VPC). The apartments are the private subnets with instances. The front desk is the NAT instance. The building’s street address is the public IP address of the NAT instance. The delivery driver is the internet. The entire process, receiving packages and sending letters, is the two-way traffic flow that happens when private instances need to access the internet for updates, API calls, or any external communication.
This analogy also reveals a potential weakness: if the front desk is closed or the staff is unavailable, no one in the building can send or receive packages. That is exactly why a single NAT instance is a single point of failure. In production, you would want multiple front desks or a managed service that never sleeps.
Why This Term Matters
In modern cloud infrastructure, security is the top priority. One of the fundamental principles is to keep your resources in private subnets where they cannot be directly accessed from the internet. However, those same resources often need internet access to download patches, pull container images, connect to third-party APIs, or send logs to external monitoring services. NAT instances provide a way to give that access without compromising security.
Understanding NAT instances matters because it teaches you how network traffic actually flows inside a cloud environment. When you configure a NAT instance, you must manually set up routing tables, security groups, IP forwarding, and firewall rules. This hands-on knowledge is invaluable for troubleshooting connectivity issues. If private instances cannot reach the internet, you know to check the route table, the NAT instance's security group, and whether source/destination check is disabled.
NAT instances also highlight the trade-off between control and convenience. Managed services like NAT Gateways are easier but offer less customization. With a NAT instance, you can add custom logging, packet inspection, or even run a VPN client on the same instance. This is why some enterprises still choose NAT instances for specific compliance or auditing requirements.
For IT professionals, knowing the difference between a NAT instance, a NAT gateway, and a bastion host is critical. Many job interview questions and certification scenarios revolve around choosing the right networking component for a given use case. NAT instances are also a stepping stone to understanding more complex networking concepts like VPC peering, transit gateways, and site-to-site VPNs. Mastering this term builds a solid foundation for cloud architecture and network security.
How It Appears in Exam Questions
NAT instance questions appear in three main patterns: configuration, scenario, and troubleshooting.
Configuration questions ask you to identify the correct steps to set up a NAT instance. For example: “A solutions architect needs to configure a NAT instance in AWS. Which two actions are required to ensure that instances in a private subnet can access the internet?” The answers often include disabling source/destination check, updating the route table, and enabling IP forwarding on the OS. You might also be asked which iptables rule is correct for masquerading.
Scenario questions present a business requirement and ask you to choose the appropriate solution. Example: “An e-commerce platform uses a VPC with a public and private subnet. The application servers in the private subnet must fetch product images from an external CDN. Which networking component should be used to allow this traffic?” The correct answer is a NAT instance or NAT Gateway. A common distractor is a bastion host, which is used for administrative SSH access, not outbound traffic.
Troubleshooting questions describe a situation where private instances lose internet access after a change. You need to analyze the possible causes. For instance: “After deploying a new NAT instance, the instances in the private subnet cannot reach the internet. The route table has a 0.0.0.0/0 entry pointing to the NAT instance’s private IP. What is the most likely issue?” The answer often involves the source/destination check still being enabled on the NAT instance, or the security group not allowing outbound traffic. Another common issue is that the NAT instance does not have a public IP address attached, or its own default route does not point to the internet gateway.
Some exams include hybrid questions that combine NAT with high availability. For example: “You need to ensure that if one NAT instance fails, traffic is still routed. Which architecture should you use?” The solution often involves placing two NAT instances in different availability zones and using a route table with multiple entries or a separate health checking mechanism.
Exam questions rarely ask for raw command syntax but may present command outputs and ask you to interpret them. Being familiar with ifconfig, route -n, iptables -t nat -L, and sysctl net.ipv4.ip_forward can give you an edge.
Finally, some questions test the cost and maintenance trade-offs. For example: “Which solution provides a fully managed, highly available NAT service?” The answer is a NAT Gateway, not a NAT instance. Recognizing these nuances is key to scoring high.
Practise NAT instance Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a cloud architect for a small startup called ‘FitTrack’ that provides a fitness tracking app. Your app’s backend runs on a VPC in AWS with two subnets: a public subnet that holds a web server, and a private subnet that holds a database server. The database server needs to install weekly security patches from the internet, but it must never be directly accessible from the internet to prevent data breaches.
To solve this, you launch an EC2 instance-based NAT instance in the public subnet. You assign it a public IP and disable the source/destination check on its network interface. You then configure the operating system to enable IP forwarding and add an iptables masquerade rule. Next, you update the route table of the private subnet to send all internet-bound traffic (0.0.0.0/0) to the private IP of the NAT instance.
Now, when the database server tries to reach a patch server on the internet, it sends the packet to the NAT instance. The NAT instance changes the source IP to its own public IP and forwards the packet. The patch server responds to the NAT instance, which then translates the destination back to the database server’s private IP and sends it along. The database server gets its patches, and its private IP remains hidden from the internet.
Three months later, the database server starts failing to update. You check the NAT instance: its security group still allows outbound traffic, but you notice that the iptables rules were accidentally flushed after a system update. You restore the masquerade rule and connectivity is restored. This scenario highlights why understanding the internal configuration of a NAT instance is crucial for real-world operations.
Common Mistakes
Forgetting to disable the source/destination check on the NAT instance's network interface.
By default, the cloud provider's network drops any packet whose destination IP is not the instance's own IP. The NAT instance must accept packets intended for other addresses to perform translation.
In the instance's network interface settings, set the source/destination check to 'Disabled'.
Attaching the NAT instance directly to the private subnet without a public subnet or internet gateway.
The NAT instance needs a connection to the internet to forward traffic. If it is in a private subnet without an internet gateway, it cannot reach external destinations.
Place the NAT instance in a public subnet that has a route to an internet gateway, and assign it a public IP or elastic IP.
Configuring the private subnet's route table to point to the NAT instance's public IP instead of its private IP.
Route tables require the next-hop IP to be a private IP reachable within the VPC. A public IP cannot be used as a next-hop in a VPC route table.
Set the route table entry for 0.0.0.0/0 to the private IP address of the NAT instance's primary network interface.
Assuming a NAT instance can handle unlimited traffic because it is a virtual machine.
NAT instances have finite CPU, memory, and network bandwidth. Under heavy load, they can become bottlenecks and drop packets.
Choose an instance type with sufficient network performance, and consider using a NAT Gateway for high-throughput or high-availability requirements.
Not enabling IP forwarding on the NAT instance's operating system.
Without IP forwarding, the OS kernel will not forward packets between network interfaces. The NAT instance will receive the traffic and drop it.
Run the command 'sysctl net.ipv4.ip_forward=1' and make it persistent in /etc/sysctl.conf.
Using a bastion host (jump box) as a NAT instance.
A bastion host is designed for administrative SSH/RDP access, not for general internet outbound traffic. It may lack the necessary iptables rules and scaling capabilities.
Use a dedicated NAT instance or a NAT Gateway for outbound internet traffic, and keep the bastion host separate for management access.
Neglecting to update security groups on the NAT instance to allow inbound traffic from the private subnet.
If the security group on the NAT instance does not allow inbound traffic from the private subnet CIDR, the NAT instance will reject the packets from private instances.
Add an inbound rule to the NAT instance's security group that allows all traffic (or required ports) from the private subnet's CIDR range.
Exam Trap — Don't Get Fooled
{"trap":"The exam question states: 'You need to allow instances in a private subnet to access the internet. You launch an EC2 instance, assign it a public IP, and attach it to the private subnet. You enable IP forwarding and update the route table.
Will this work?'","why_learners_choose_it":"Learners think that because the instance has a public IP and IP forwarding is enabled, it should work. They overlook the fact that the instance itself is in a private subnet without a route to an internet gateway."
,"how_to_avoid_it":"Remember that a NAT instance must be in a public subnet (with a route to an internet gateway) to reach the internet. A private subnet cannot directly communicate with the internet even if its instances have public IPs attached. The instance must also have the source/destination check disabled."
Commonly Confused With
A NAT Gateway is a fully managed AWS service that provides outbound internet access without requiring OS configuration or manual scaling. Unlike a NAT instance, you do not need to manage security groups, IP forwarding, or source/destination checks. NAT Gateways are highly available by default when placed in multiple availability zones.
If you use a NAT Gateway, you just create it in a public subnet and update the route table. No iptables, no EC2 maintenance. If you use a NAT instance, you have to configure everything manually.
An Internet Gateway (IGW) is a horizontally scaled, redundant VPC component that allows communication between a VPC and the internet. An IGW is attached to a VPC and is used for instances with public IPs. A NAT instance is a single EC2 instance that performs NAT, whereas an IGW is a logical gateway that does not require instance management.
An IGW is like a highway entrance for a city; any car with a pass (public IP) can use it. A NAT instance is like a private carpool service for a gated community; it takes residents out and brings them back.
A bastion host (or jump box) is used for administrative access to instances in private subnets. It typically only allows inbound SSH or RDP from specific IPs. A NAT instance is used for general outbound internet traffic, not for management. The bastion host does not usually have NAT rules configured.
A bastion host is like a secure security door to enter a building. A NAT instance is like a mailroom that sends and receives packages anonymously.
A proxy server also forwards outbound requests, but it operates at the application layer (Layer 7) rather than the network layer (Layer 3). Proxies can cache content, filter URLs, and authenticate users. A NAT instance works at Layer 3/4 and does not inspect application data.
A proxy is like a personal assistant who reads your mail before forwarding it; a NAT instance is like a postal service that just changes the return address without reading the letter.
A VPN creates an encrypted tunnel between two networks, allowing private IP communication across the internet. A NAT instance only performs address translation and does not provide encryption or tunnel endpoints. They can be used together.
A VPN is like a secure, private tunnel between two buildings. A NAT instance is like a receptionist that changes visitor badges.
Step-by-Step Breakdown
Launch an EC2 instance in a public subnet
Choose an Amazon Linux or Ubuntu AMI. Ensure the subnet has a route to an Internet Gateway (IGW). Assign an Elastic IP (public IP) to this instance so it can be reached from the internet for responses.
Disable the source/destination check
In the AWS console, select the instance, go to Networking, choose the network interface, and disable the Source/Destination Check. This allows the instance to accept traffic that is not destined to its own IP.
Enable IP forwarding on the OS
Connect to the NAT instance and run 'sudo sysctl net.ipv4.ip_forward=1'. To make the change permanent, add 'net.ipv4.ip_forward = 1' to /etc/sysctl.conf. This allows the kernel to forward packets between interfaces.
Configure iptables for masquerading
Run 'sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' to translate the source IP of outgoing packets to the instance's public IP. Save the rules so they persist across reboots.
Update the private subnet route table
In the VPC console, locate the route table associated with the private subnet. Add a route with destination 0.0.0.0/0 pointing to the private IP of the NAT instance as the target. This ensures all outbound internet traffic from the private subnet goes to the NAT instance.
Configure security groups
On the NAT instance's security group, add an inbound rule to allow traffic from the private subnet CIDR (e.g., 10.0.1.0/24) on ports required (e.g., 80, 443, 53). Add outbound rules to allow traffic to 0.0.0.0/0 on needed ports.
Test connectivity from a private instance
Launch a test instance in the private subnet (no public IP). Connect to it via SSH from a bastion host or Systems Manager. Try to ping an external host (e.g., 8.8.8.8) or run 'curl https://aws.amazon.com'. If successful, the NAT instance is working.
Monitor and ensure high availability (optional)
For production, consider launching two NAT instances in different Availability Zones, each with its own route table entry (with different priorities). Alternatively, use an Auto Scaling group with a health check to replace a failed NAT instance automatically.
Practical Mini-Lesson
Setting up and managing a NAT instance in AWS is a rite of passage for cloud engineers. It teaches you the underlying mechanics of networking that managed services hide. The first step is always choosing the right Amazon Machine Image (AMI). Amazon Linux 2 or Ubuntu 20.04 are good choices because they come with iptables pre-installed and have good documentation.
Once the instance is launched in a public subnet, the most common pitfall is forgetting to disable the source/destination check. This is a network interface attribute in AWS that prevents instances from forwarding packets not addressed to them. You must disable it explicitly. After that, you SSH into the instance and enable IP forwarding. The command 'sysctl net.ipv4.ip_forward=1' does that immediately, but you also need to persist it in /etc/sysctl.conf so it survives reboots.
The actual NAT logic is handled by iptables. The command 'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE' is a one-liner that does Source NAT. It tells the kernel: for every packet going out of interface eth0, rewrite the source IP to the IP of that interface. This works for both IPv4 and, with slight changes, IPv6. Be aware that by default, iptables rules are not saved after a reboot unless you use iptables-save and restore scripts.
Routing is the next piece. You must update the route table for the private subnet. The default route (0.0.0.0/0) must point to the NAT instance's private IP (not its public IP). This is a common mistake, using public IP in the route table will fail because the route table expects a target within the VPC’s CIDR range.
Security groups often cause subtle issues. The NAT instance needs an inbound rule allowing traffic from the private subnet’s CIDR. Without this, the private instance’s first packet will be dropped by the security group. Also ensure outbound rules allow traffic to the internet. A classic trap is allowing only HTTP/HTTPS but forgetting DNS (port 53), which can break domain name resolution.
Testing is crucial. Launch a test instance in the private subnet and try to access an external IP directly. If it fails, check the route table, the NAT instance's security group, and whether IP forwarding is enabled. You can also run 'tcpdump' on the NAT instance to see if packets arrive from the private subnet and leave on the public interface.
One real-world complication is that a single NAT instance is a single point of failure. If the instance crashes or becomes impaired, all private instances lose internet access. For high availability, you can place two NAT instances in different AZs and configure separate route tables for each private subnet, each pointing to its own AZ's NAT instance. Alternatively, use an Auto Scaling group with a health check to automatically replace a failed instance. Managed NAT Gateways are generally preferred for this reason, but for learning, nothing beats the hands-on experience of building your own.
NAT Instance Architecture and Key Use Cases
A NAT (Network Address Translation) instance is an Amazon EC2 instance configured to perform NAT, allowing private subnet instances to initiate outbound traffic to the internet while blocking unsolicited inbound traffic. Unlike the fully managed NAT Gateway, a NAT instance is a self-managed virtual machine that you control. In AWS, the instance sits in a public subnet with an Elastic IP, and the private subnet’s route table directs all 0.0.0.0/0 traffic to the NAT instance’s private IP. This design is foundational for exam scenarios, as it tests your ability to both configure networking manually and understand the trade-offs compared to managed services.
The core use case for a NAT instance is simple: enable outbound internet access for instances in private subnets. This is critical for tasks like downloading patches, accessing external APIs, or communicating with services not available via VPC endpoints. On the AWS Solutions Architect Associate (AWS-SAA) exam, you must know when to choose a NAT instance over a NAT Gateway. Scenarios involving tight cost controls, high-throughput needs that exceed a Gateway’s burst limits, or specialized software (e.g., custom IP translation logic) all point toward a NAT instance. On the Google ACE exam, the concept of a custom NAT appliance (similar to a Compute Engine instance acting as a gateway) is a parallel topic.
Architecturally, the NAT instance must have Source/Destination Check disabled in its EC2 network interface. This is because the instance forwards traffic that is not actually destined for itself. If you leave this enabled, the instance will drop packets silently. Network administrators (aligned with CCNA, Network+ objectives) must also configure the instance’s OS to perform IP forwarding (e.g., via sysctl net.ipv4.ip_forward=1 on Linux). Security groups for the NAT instance must allow inbound HTTP/HTTPS (ports 80, 443, and possibly ephemeral ports) from the private subnet’s CIDR, and outbound traffic to the internet. Network ACLs also play a role-they must allow ephemeral port return traffic.
On the AZ-104 exam, a similar concept is the Azure Firewall or a customized Linux VM serving as a NAT device. While AWS and Azure use different terms, the underlying IP masquerading logic is identical. Security+ and A+ exams focus on the principles of NAT-private address conservation and hiding the internal topology. Understanding the NAT instance helps you grasp how IP masquerade (PAT) works in real networks. The instance uses its source IP (the Elastic IP) to replace the private source IP of outbound packets, then maintains a mapping table to forward return traffic to the correct private instance.
One common exam pitfall involves the number of NAT instances needed for high availability. A single NAT instance is a single point of failure. To solve this, deploy two NAT instances in different Availability Zones, each with its own Elastic IP, and place them behind a Route 53 health check or an Auto Scaling group with a scaling policy based on network traffic. The exam will often present a scenario where a single NAT instance fails, causing private instances to lose internet. The correct answer is to use NAT Gateways for HA or to implement a cluster of NAT instances. When using NAT instances for IPv6, you’d need additional configuration-but note that AWS recommends using egress-only internet gateways for IPv6 outbound traffic from private subnets.
From a performance perspective, a NAT instance’s throughput depends on the EC2 instance type. Smaller instances (t2.micro) can bottleneck under heavy load, whereas a c5n.large or similarly network-optimized type can handle higher bandwidth. The exam will test your ability to choose an instance type based on required throughput (e.g., 1 Gbps vs. 10 Gbps). Also, note that NAT instances do not support port forwarding natively; this must be configured manually via iptables or equivalent. This is a critical difference from NAT Gateways, which support limited port forwarding for specific DNAT rules. Finally, remember that NAT instances are not managed-you must apply OS patches, maintain the image, and monitor their health yourself.
mastering the NAT instance architecture, its configuration (disable Source/Dest check, enable IP forwarding, set route tables), and its high-availability patterns is essential to pass networking-focused sections of the AWS-SAA, Azure AZ-104, and Network+ exams. The NAT instance is a classic example of a network appliance built from a general-purpose compute resource, and understanding its depth clarifies larger networking principles like NAT overload, connection tracking, and security group statefulness.
NAT Instance Cost Model and Performance Trade-Offs
Understanding the cost structure of a NAT instance is crucial for exam success, especially in cost-optimization scenarios on the AWS Solutions Architect Associate (AWS-SAA) and Google ACE exams. A NAT instance is billed as a standard EC2 instance-you pay for the instance running time (per-second or per-hour, depending on the generation), any attached EBS volumes, data transfer charges for outbound internet traffic, and the Elastic IP (if not associated with a running instance). Unlike a NAT Gateway, which charges per-hour and per-GB of data processed, a NAT instance’s cost is primarily the compute cost. This makes it more attractive for constant, high-volume traffic, but also introduces the operational cost of management.
The NAT Gateway pricing model is simpler: a fixed hourly rate (e.g., $0.045/hour in us-east-1) plus a per-GB data processing fee (typically $0.045/GB). If your architecture requires only a few hundred gigabytes per month, a NAT Gateway might be cheaper than a dedicated instance running 24/7. But if you need 10 TB/month, a large NAT instance (e.g., a c5n.xlarge at ~$0.216/hour) could be more cost-effective, because data transfer charges are the same for both (they both use the same internet data transfer pricing). The exam will present a scenario with monthly traffic volumes and ask you to choose between a NAT Gateway and a NAT instance based on cost. The key takeaway: for low-to-moderate traffic, Gateway is cheaper; for high traffic, a NAT instance can be cheaper per GB.
Performance-wise, NAT instances have variable throughput depending on the instance type and network performance. A t3.nano might deliver only ~0.5 Gbps, while a c5n.18xlarge can reach up to 100 Gbps. NAT Gateways, in contrast, offer up to 45 Gbps per gateway, but they also automatically scale to up to 100 Gbps when using multiple Elastic IPs per NAT Gateway. The exam tests your ability to choose an instance type that meets required throughput without over-provisioning. For example, if a workload needs 10 Gbps sustained, a NAT instance like r5n.4xlarge (~10 Gbps) would be a better fit than a Gateway that could throttle if you misconfigure the elastic IP count.
NAT instances incur network I/O charges if you exceed the free tier, and they contribute to your overall EC2 compute usage. For the AWS-SAA exam, you must also factor in the cost of EBS snapshots used for AMI backups and the cost of data transfer between AZs. If you implement a highly available pair of NAT instances across two AZs, you double the compute cost but can still be cheaper than two NAT Gateways if traffic is high enough.
The Google ACE exam emphasizes a similar concept: a custom NAT appliance on Compute Engine (a VM with IP forwarding) versus Google Cloud NAT (managed). The managed service is priced per month per gateway plus per-GB processing. If your exam scenario involves high egress traffic (e.g., a video processing pipeline sending large files externally), a custom NAT instance reduces cost. However, the operational overhead of patching, scaling, and monitoring the custom appliance is a hidden cost that Cloud NAT eliminates. The exam will test whether you weigh both direct and indirect costs.
From a security viewpoint, the cost of a NAT instance also includes the labor of security group management, OS hardening, and patching. A NAT Gateway is a fully managed AWS service with built-in security, automatically updated. Security+ and A+ exams don’t dive into pricing, but they test the principle: using managed services reduces operational cost and risk. The AWS-SAA exam explicitly asks, “What is the most cost-effective solution for allowing private instances to access the internet?” when the traffic is steady and high-volume. The answer is often a NAT instance, especially if the cost of managed NAT Gateway processing fees is high relative to compute.
Finally, consider data transfer charges: NAT instances and Gateways both incur internet data transfer out (per GB) from AWS to the internet. However, if your NAT instance is in the same AZ as the private instances, cross-AZ data transfer is free. If you use multiple NAT instances across AZs, there is no cross-AZ fee for traffic within the same region, but EC2 instance-to-instance data transfer within the same AZ is free. This subtlety appears in the exam to trick candidates who assume data transfer is always charged.
when you see a cost optimization question on the AWS-SAA or Google ACE exam, compare the total monthly cost: (instance hourly rate * 730 hours) + data transfer fees for a NAT instance vs. (Gateway hourly rate * 730 hours) + (per-GB processing fee * monthly traffic) for a managed gateway. Use that to decide. Also remember that for very low traffic (under ~100 GB/month), the Gateway is cheaper because it has no minimum data fee; for high traffic, the instance wins. The exam loves this comparison.
NAT Instance Configuration Checklist (Step-by-Step)
Configuring a NAT instance in AWS involves a specific sequence of steps, each of which can be a point of failure or an exam question. This section provides a detailed, exam-oriented checklist for setting up a NAT instance that works reliably in production. The steps align with the AWS-SAA, CCNA, and Network+ learning objectives.
Step 1: Launch an EC2 instance in a public subnet. Choose an Amazon Linux AMI or any OS that supports IP forwarding (e.g., Ubuntu, Red Hat). Ensure the instance has an Elastic IP associated-this provides a static public address for outbound traffic. The instance’s private IP will be used as the route table target for private subnets. On the AWS-SAA exam, you may be asked to specify the correct AMI-Amazon Linux 2 comes pre-configured with iptables rules to enable NAT, reducing manual effort.
Step 2: Disable Source/Destination Check on the instance’s network interface. By default, EC2 instances check that they are the source or destination of all traffic. A NAT instance must forward traffic that is neither sourced from nor destined to itself. To disable this, use the AWS CLI: aws ec2 modify-instance-attribute --instance-id i-xxxxx --source-dest-check --value false. Alternatively, from the EC2 console under Networking, uncheck the checkbox. Failing to do this is the #1 cause of NAT instance failures. This appears verbatim in many exam questions: “A NAT instance is not forwarding traffic-what is the likely cause?”
Step 3: Enable IP forwarding inside the OS. On Linux, this involves editing /etc/sysctl.conf and setting net.ipv4.ip_forward = 1, then running sysctl -p. For iptables-based NAT, add a rule: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. This rule mascarades all outbound traffic using the instance’s public IP. The exam sometimes asks you to interpret the iptables rule: the MASQUERADE target replaces the source Private IP of packets with the instance’s Elastic IP, and connection tracking ensures return traffic reaches the correct private instance.
Step 4: Configure the security group for the NAT instance. Inbound rules must allow HTTP (TCP 80) and HTTPS (TCP 443) from private subnet CIDR. Also allow ICMP (for ping testing). All outbound traffic to 0.0.0.0/0 (any protocol) is permitted. To allow return traffic, the security group must allow ephemeral ports (1024-65535) inbound from the private subnet? Actually, security groups are stateful-return traffic is automatically allowed. So only inbound from private subnet is needed. This is testable: a NAT instance with restrictive outbound rules will block private instance egress.
Step 5: Modify the private subnet route table. Add a route to 0.0.0.0/0 targeting the NAT instance’s private IP or its ENI. Do not use the public IP. The exam emphasizes that the route target must be the private IP of the NAT instance, and the NAT instance must be in the same VPC. If the private subnet’s route table points to the NAT instance’s Elastic IP, traffic will not work because the Elastic IP is associated with the instance’s public IP, and the route table expects a network interface target. This is a common trick.
Step 6: Test connectivity from a private instance. From an instance in the private subnet, run ping 8.8.8.8 (if ICMP allowed) or curl http://checkip.amazonaws.com to verify that the public IP returned is the NAT instance’s Elastic IP. If it fails, check the security group, the Source/Dest Check, and the route table target. The exam may simulate this exact troubleshooting scenario.
Step 7: For high availability, launch a second NAT instance in another public subnet (different AZ) and update the route table to have a failover route (less specific) or use a Route 53 health check / Auto Scaling to replace a failed instance. The exam will ask: “How can you improve the availability of a NAT-based outbound internet connection?” The correct answer often involves multiple NAT instances with a routing protocol or stack (not active-active; NAT is generally active-passive for stateful connections).
In real-world configuration, you also need to handle connection tracking limits. Linux connection tracking (nf_conntrack) can fill up if too many connections are established. This can lead to dropped packets. A troubleshooting step is to monitor /proc/sys/net/netfilter/nf_conntrack_count and / proc/sys/net/netfilter/nf_conntrack_max. Exam questions rarely test this deep, but knowing this can help with multi-choice questions about intermittent connectivity failures.
On the AZ-104 exam, analogous configuration would be creating a Linux VM in Azure with IP forwarding enabled and routing tables pointing to its private IP. The steps are similar: disable IP forwarding check (Azure host-level), enable forwarding in OS, and configure the route table. The CCNA exam tests general NAT configuration on Cisco routers, but the principles (inside/outside interfaces, access-lists for traffic matching) are directly translatable.
this checklist covers each critical element from instance launch to troubleshooting. Any exam covering NAT will test at least two of these steps in a scenario, particularly the Source/Destination Check and the route table target. Master this checklist and you’ll answer those questions correctly.
Security Hardening for NAT Instances (With Exam-Specific Notes)
Securing a NAT instance is critical because it sits at the boundary between your private network and the public internet. A compromised NAT instance can expose all outbound traffic and be used for malicious access to private resources. On the Security+ and Network+ exams, you’ll be tested on the fundamental security controls for such network appliances. This section covers hardening techniques and points directly to exam knowledge areas.
First, restrict inbound access to the NAT instance. The security group must only allow specific traffic from the private subnet CIDR. For example, TCP 80, 443, and a limited range of ephemeral ports (1024-65535) are typical. However, best practice is to restrict even further: only allow TCP 443 from private subnets if HTTP is not needed. The exam might ask, “Which security group inbound rule would you least likely allow for a NAT instance?” – the answer could be SSH (port 22) from anywhere. You should only allow SSH from your management or bastion host IP. Never allow all traffic (0.0.0.0/0) inbound. This matches the principle of least privilege.
Second, disable password-based authentication. Use SSH key pairs only. On Linux, ensure PasswordAuthentication no in /etc/ssh/sshd_config. This is not tested directly on most AWS exams, but Security+ includes passwordless authentication best practices.
Third, keep the NAT instance up-to-date with patches. Since it’s an EC2 instance, you should regularly update the OS using yum update or apt-get update/dist-upgrade. A standard approach is to use an Auto Scaling group with a scheduled refresh of the AMI. The AWS-SAA exam will test whether you understand that a NAT Gateway is managed (patched by AWS) whereas a NAT instance requires manual patching. The question might be, “An administrator must reduce operational overhead for outbound internet connectivity. What should they use?” – NAT Gateway.
Fourth, enforce iptables firewall rules not just for NAT but for input filtering. For example, only allow ICMP echo requests from the private subnet for troubleshooting. In the iptables INPUT chain, set default policy to DROP and only allow established and related connections. This prevents attackers from probing the NAT instance from the internet if they guess the Elastic IP. The exam may not require writing iptables commands, but it can ask about “how to protect a NAT instance from external reconnaissance.” Answer: block all inbound traffic except from private subnet and allow established connections.
Fifth, consider using a network ACL in addition to security groups for the public subnet containing the NAT instance. For inbound, allow only ephemeral ports from the private subnet (so return traffic can flow back). For outbound, allow HTTP/HTTPS to 0.0.0.0/0. The network ACL is stateless, so you must explicitly allow return traffic. This is a key difference from Security Groups. The exam expects you to know that if you use network ACLs, you need to allow inbound ephemeral ports for return traffic, and outbound ephemeral ports to private subnet for reply. Failure to do this results in asymmetric routing. Security+ and Network+ both cover stateful vs. stateless firewalls-the NAT instance scenario is a perfect example.
Sixth, enable VPC Flow Logs to monitor traffic going through the NAT instance. Flow logs capture metadata about network packets. This can help detect anomalies like a private instance exfiltrating data. The AWS-SAA exam may ask about monitoring outbound traffic from private subnets-the answer often involves enabling VPC Flow Logs on the NAT instance’s network interface. Subscription logs can be sent to CloudWatch Logs or S3. This is a hidden exam point: you cannot see traffic inside the VPC between instances with Flow Logs unless the traffic passes through the NAT instance.
Seventh, restrict the Elastic IP usage. An Elastic IP associated with a NAT instance should be attached to the instance but not exposed to unnecessary internet scanning. Use AWS Network Firewall or third-party appliances if you require deeper packet inspection. On the Google ACE exam, similar advice applies to VM-based NAT: use Cloud Armor or firewall rules to protect the VM’s external interface.
Eighth, consider the implications of the NAT instance being a single point of failure and its security posture. If the NAT instance fails, all private internet access halts. Malicious actors might target the NAT instance to disrupt connectivity. The exam will test this by asking about disaster recovery: “What can you do to improve the security and resilience of a NAT instance?” Answer: deploy an Auto Scaling group in a multi-AZ configuration with an AMI that is patched and hardened. Use termination protection and instance metadata service version 2 (IMDSv2) to prevent SSRF attacks. On Security+, you’ll learn that the NAT instance should be in a security group that allows only necessary traffic, and use a bastion host for management.
Finally, always store your NAT instance’s AMI version and have a backup plan. A simple snapshot-based approach works, but the better method is to have a golden AMI with pre-applied patches and iptables rules. The AWS-SAA exam explicitly tests this: they give a scenario where a NAT instance fails and the administrator needs to quickly restore service. The best answer is “Launch a new instance from a stored AMI with the same configuration and associate the Elastic IP.” This reinforces the idea that automation (like AWS CloudFormation) is vital for both security and recovery.
hardening a NAT instance covers security group rules, OS updates, iptables filtering, network ACLs, and monitoring. Each of these items appears in exam questions for Security+, Network+, and the networking domains of AWS-SAA. By understanding these points, you can both secure your infrastructure and ace the questions.
Troubleshooting Clues
Private instances cannot reach the internet
Symptom: From a private instance, ping to 8.8.8.8 times out, or curl to an external website fails.
Common causes: Source/Destination Check not disabled on NAT instance; missing iptables MASQUERADE rule; route table target missing or incorrect; security group blocks outbound traffic; NAT instance not in a public subnet with internet gateway attached.
Exam clue: Exam questions often list a checklist and ask for the most likely cause-always check Source/Dest Check first.
NAT instance unreachable from private subnet
Symptom: Private instances cannot SSH or ping the NAT instance's private IP.
Security group inbound rules may not allow ICMP or SSH from private subnet; or network ACL on public subnet blocks inbound traffic; or the private route table has no route to the NAT instance's private IP (should be a local route).
Exam clue: Network+ and AWS-SAA questions test that inbound security group rules must explicitly permit private subnet traffic.
NAT instance CPU or network bottleneck
Symptom: High CPU utilization on NAT instance, slow internet speeds, dropped packets.
The instance type selected is too small for the amount of traffic. NAT instances are limited by network bandwidth and CPU for connection tracking. Upgrade to a larger instance (e.g., c5n or m5n series) or use a NAT Gateway.
Exam clue: AWS-SAA cost vs. performance questions: selecting a t2.micro for high-throughput scenarios is incorrect.
Elastic IP not being used for outbound traffic
Symptom: Outbound traffic shows a private IP instead of the Elastic IP.
The MASQUERADE rule may be missing or misconfigured; or the outbound traffic is bypassing the NAT instance due to route table misconfiguration (e.g., route points to another ENI).
Exam clue: Exam questions may show a VPC where outbound traffic source IP is private-MASQUERADE rule is missing.
Connection tracking table full (nf_conntrack)
Symptom: Intermittent connectivity failures, especially under high connection count. 'conntrack: table full, dropping packet' in syslog.
Linux connection tracking has a limit (default often 65536). When exceeded, new connections are dropped. Increase /proc/sys/net/netfilter/nf_conntrack_max or use a larger instance.
Exam clue: Advanced troubleshooting questions in CCNA or AWS-SAA might reference this symptom; solution is to increase conntrack max.
Return traffic lost (asymmetric routing)
Symptom: Outbound connectivity works (requests leave) but responses never reach the private instance.
The NAT instance’s security group or network ACL does not allow inbound ephemeral ports (1024-65535) for return traffic. Also check that the private subnet route table sends responses back through the NAT instance (should be symmetric).
Exam clue: Exam asks: 'Why does a private instance get a request timeout when curling an external server?' Answer: ephemeral ports not allowed in security group.
NAT instance failed, no redundancy
Symptom: All private subnet loss internet access after the single NAT instance goes down (e.g., stopped, terminated, or impaired).
Single point of failure-no HA configuration. To resolve, use multiple NAT instances in different AZs with active-passive routing or use an Auto Scaling group with a health check.
Exam clue: AWS-SAA asks: 'How can you improve the availability of internet access for private subnets?' Answer: Deploy NAT instances in multiple AZs with route tables updated accordingly.
Incorrect security group for NAT instance (too restrictive)
Symptom: Private instances can reach the NAT instance but cannot reach internet; or NAT instance cannot reach internet.
Security group outbound rules might block all traffic; or inbound rules may not allow return traffic. Since SG is stateful, outbound rules matter-if outbound HTTP/HTTPS are denied, it fails.
Exam clue: Exam shows a scenario where outbound 0.0.0.0/0 is allowed but inbound from private subnet is only SSH; answer: missing inbound ephemeral ports? No, stateful allows return; the real issue is Outbound rule might be too restrictive.
Memory Tip
Remember: NAT instance needs three disables and two enables, disable source/dest check, enable IP forwarding, disable security group blocking, enable iptables masquerade, and ensure the route table points to the private IP.
Learn This Topic Fully
This glossary page explains what NAT instance means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →AZ-104AZ-104 →200-301Cisco CCNA →N10-009CompTIA Network+ →ACEGoogle ACE →SAA-C03SAA-C03 →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →SC-900SC-900 →SOA-C02SOA-C02 →PCAGoogle PCA →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Quick Knowledge Check
1.What is the primary reason a NAT instance requires the Source/Destination Check to be disabled?
2.A company has a VPC with a public subnet and a private subnet. They launch an Amazon Linux 2 NAT instance in the public subnet with an Elastic IP. After configuring the route table for the private subnet to send 0.0.0.0/0 traffic to the NAT instance’s private IP, private instances still cannot curl an external website. The NAT instance is also unreachable via SSH from the bastion host in the public subnet. What is the most likely cause?
3.An administrator needs to allow outbound internet access from private instances in multiple Availability Zones. Traffic is moderate and cost is the primary concern. Which solution is MOST cost-effective?
4.Which of the following is a key difference between a NAT instance and a NAT Gateway?
5.An engineer troubleshoots a NAT instance and sees the following iptables rule: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1. What does this rule do?
Frequently Asked Questions
What is the difference between a NAT instance and a NAT Gateway in AWS?
A NAT instance is a manually configured EC2 instance that performs NAT. A NAT Gateway is a fully managed AWS service that automatically scales and is highly available. NAT Gateways do not require OS configuration, security group management, or source/destination check disablement.
Can a NAT instance be in a private subnet?
No, a NAT instance must be in a public subnet with a route to an Internet Gateway. If placed in a private subnet, it cannot reach the internet to forward traffic for private instances.
Do I need to assign a public IP to the NAT instance?
Yes, the NAT instance needs a public IP (Elastic IP) so that internet-based hosts can send response packets back to it. Without a public IP, responses will not be routable from the internet.
What is the source/destination check and why must it be disabled?
The source/destination check is an AWS network attribute that prevents an instance from forwarding traffic unless it is the source or destination. Disabling it allows the NAT instance to accept and forward packets that are not addressed to itself.
How do I make a NAT instance highly available?
You can launch two NAT instances in different Availability Zones, each with its own Elastic IP. Update the private subnet route tables to point to the nearest NAT instance. For automatic recovery, use an Auto Scaling group with a health check that relaunches a NAT instance if it fails.
Can a NAT instance be used for inbound port forwarding?
Yes, by adding DNAT rules in iptables (PREROUTING chain), you can forward incoming traffic from the internet to a specific port on a private instance. However, this is less common and requires careful security group and routing configuration.
What happens if the NAT instance runs out of memory or CPU?
The NAT instance may drop packets, causing connectivity issues for private instances. Monitoring and scaling the instance type or moving to a managed NAT Gateway can prevent this.
Does a NAT instance support IPv6?
By default, NAT instances handle IPv4 traffic. For IPv6, AWS provides egress-only internet gateways, not NAT instances. If you need IPv6 outbound connectivity, use an egress-only Internet Gateway for private subnets.
Summary
A NAT instance is a virtual machine that performs outbound Network Address Translation for instances in a private subnet. It allows private resources to access the internet, for updates, API calls, and external data, while keeping them protected from inbound connections. The NAT instance rewrites the source IP of outgoing packets to its own public IP and maintains a state table to redirect responses back to the correct private instance.
Understanding NAT instances is critical for cloud certification candidates because it tests deep networking knowledge: routing, security groups, iptables, and the source/destination check. While managed NAT Gateways are simpler, NAT instances give you full control and teach you how NAT actually works. They appear in scenario-based exam questions where you must choose between a bastion host, internet gateway, NAT instance, or NAT Gateway. Common mistakes include forgetting to disable the source/destination check, placing the NAT instance in a private subnet, and using its public IP in route tables.
For your exams, remember that a NAT instance is a manual, highly configurable, but potentially fragile solution. It is a single point of failure unless you design for high availability. In production, you will likely use a managed NAT Gateway, but understanding NAT instances will help you troubleshoot and design better architectures. Master this concept, and you will have a strong foundation in VPC networking and address translation.