A NAT Gateway is a fully managed AWS service that enables instances in private subnets to access the Internet while blocking unsolicited inbound traffic. It is the recommended replacement for NAT Instances due to better performance, availability, and reduced operational overhead.
Key Points
- Managed by AWS – no patching or manual configuration required.
- High performance – starts at 5 Gbps, scales up to 100 Gbps automatically.
- Highly available within one AZ – deploy one per AZ for fault tolerance.
- Elastic IP – automatically assigned at creation.
- No Security Groups – not needed for NAT Gateway itself.
- Billing – charged per hour and per GB processed.
Deployment
- Must be in a public subnet.
- Requires an Internet Gateway to reach the Internet.
- Used by instances in private subnets via route table configuration.
- Typical flow:
Private Subnet → NAT Gateway → Internet Gateway (IGW) → Internet
Flow
- Private EC2 sends outbound request.
- NAT Gateway translates the source IP to its Elastic IP.
- Internet traffic returns to the NAT Gateway.
- NAT Gateway forwards the response to the private instance.
High Availability Notes
- One per AZ is required for full AZ-level resilience.
- No cross-AZ failover – if the AZ is down, so are its private resources.
- For multi-AZ workloads, deploy a NAT Gateway in each AZ and update route tables accordingly.