NAT Gateway
- Network Address Translation (NAT) Gateway is a managed AWS service that enables instances in private subnets to connect to the internet or other AWS services while preventing inbound connections from the internet
- Acts as a managed alternative to NAT instances, providing higher availability and bandwidth with less administrative overhead
- Deployed in public subnets and requires an Elastic IP address for outbound internet connectivity
- Critical difference: NAT Gateway allows outbound traffic but blocks unsolicited inbound traffic (stateful connection tracking)
How NAT Gateway Works
- Private subnet instances route internet-bound traffic to NAT Gateway via route table entries
- NAT Gateway translates private IP addresses to its public Elastic IP address
- Return traffic is automatically mapped back to the originating private instance
- Uses port address translation (PAT) to track multiple connections from different private instances
- For example, private instance 10.0.1.100:3000 becomes NAT-Gateway-EIP:random-port for outbound connections
NAT Gateway vs NAT Instance Comparison
| Feature | NAT Gateway | NAT Instance |
|---|---|---|
| Availability | Highly available within AZ | Single point of failure |
| Bandwidth | Up to 45 Gbps | Depends on instance type |
| Management | Fully managed by AWS | Customer managed EC2 |
| Cost | Per hour + data processing | EC2 instance costs |
| Security Groups | Cannot be associated | Can use security groups |
| Bastion Server | Cannot be used as bastion | Can serve as bastion host |
Deployment Considerations
- Deploy one NAT Gateway per Availability Zone for high availability (cross-AZ redundancy)
- Must be placed in public subnet with internet gateway route (0.0.0.0/0 → IGW)
- Private subnet route table must point default route to NAT Gateway (0.0.0.0/0 → NAT-GW-ID)
- Cannot span multiple Availability Zones - each NAT Gateway serves only its AZ
- For example, if you have private subnets in us-east-1a and us-east-1b, deploy separate NAT Gateways in public subnets of each AZ
Bandwidth and Performance
- Supports bandwidth scaling from 5 Gbps up to 45 Gbps automatically
- No need to pre-provision bandwidth - scales based on demand
- Connection tracking timeout: 350 seconds for TCP, 240 seconds for UDP
- Maximum of 55,000 simultaneous connections per unique destination
- Performance is consistent unlike NAT instances which depend on underlying EC2 instance type
Vocabulary
- PAT (Port Address Translation): Method of NAT that maps multiple private IP addresses to single public IP using different port numbers
- Stateful Connection Tracking: NAT Gateway remembers outbound connections and allows corresponding return traffic
- Elastic IP (EIP): Static public IPv4 address that can be associated with NAT Gateway for consistent outbound IP
Notes
- NAT Gateway does not support IPv6 - use Egress-Only Internet Gateway for IPv6 outbound connectivity
- Cannot modify security groups for NAT Gateway (unlike NAT instances) - security is handled at subnet level via NACLs
- Cost consideration: Charged per hour of operation plus data processing charges - can be expensive for high-traffic scenarios
- Use NAT Gateway when you need managed solution with high availability; use NAT instance only when you need additional customization or bastion host functionality
- Remember: NAT Gateway eliminates single points of failure but you must deploy multiple gateways across AZs for true redundancy
- For troubleshooting, check route tables first - most NAT connectivity issues stem from incorrect routing configuration