A NAT Instance allows EC2 instances in private subnets to initiate outbound Internet traffic while blocking unsolicited inbound traffic. It is a legacy solution, replaced by NAT Gateways, but still tested in the AWS exam.
Key Points
- Must be deployed in a public subnet.
- Requires an Elastic IP (EIP).
- Source/Destination Check must be disabled on the NAT Instance.
- Private subnet route tables must send
0.0.0.0/0traffic to the NAT Instance.
- Translates private IPs to its public EIP for outbound communication.
Architecture
- Public Subnet: Contains the NAT Instance (and possibly other public-facing resources).
- Private Subnet: Contains instances without direct Internet access.
- Internet Gateway: Provides connectivity for the NAT Instance.
- Routing:
- Public subnet → Internet Gateway.
- Private subnet → NAT Instance.
Flow
- Private EC2 sends outbound request to the Internet.
- NAT Instance replaces the source IP with its EIP.
- External server replies to the EIP.
- NAT Instance forwards the response back to the originating EC2.
Limitations
- Not highly available by default — requires manual multi-AZ setup and Auto Scaling for failover.
- Performance bound by EC2 instance type and network capacity.
- AWS-provided NAT AMI reached end of standard support on Dec 31, 2020.
Security Group Recommendations
- Inbound:
- Allow HTTP/HTTPS from private subnet CIDR.
- Allow SSH only from trusted IP ranges.
- Outbound:
- Allow HTTP/HTTPS to the Internet.