VPC Components: Part II
Build on your understanding of AWS VPCs by learning more about their features and components.
NAT gateways
A subnet associated with a route table that doesn’t have a route to the internet gateway is called a private subnet. Instances in private subnets have no direct connection to or from the internet. What if we want to update the software of an instance in a private subnet? Or a private application needs access to the internet? This is where NAT gateways come into play.
NAT gateways allow instances in private subnets to connect to the internet while still being inaccessible from the internet. Let’s see how this works.
NAT gateways are AWS-managed resources that are created in public subnets of a VPC. They allow resources like EC2 instances in private subnets to connect to the internet. In the illustration, we can see a NAT gateway in the public subnet of the VPC that’s being used by an EC2 instance in a private subnet to connect to the internet.
Note: The connections from the internet gateway are two-way connections (i.e., resources in public subnets are accessible from the internet). However, the connection to the NAT gateway is one-way (resources in private subnets are still inaccessible from the internet). Just as public subnets have an internet route pointing to the internet gateway, private subnets have a route to a NAT gateway.
Public subnet route example:
| Route | Destination |
|---|---|
| 0.0.0.0/0 | igw-12345678901234567 |
Private subnet route example:
| Route | Destination |
|---|---|
| 0.0.0.0/0 | ngw-12345678901234567 |
These routes direct traffic to internet gateways for public subnets and to NAT gateways for private subnets.
Points to note:
- We specify an Elastic IP to associate with the NAT gateway when it’s created. Deleting the NAT gateway won’t delete the Elastic IP