Accessing the Internet: Gateways and Route Tables

In the last lesson, we set up four subnets in two availability zones—two of them being private and two of them public. But what makes them public and private?

Resources in public subnets are reachable from the internet, while resources in private subnets are not. If we create a new VPC or subnet, it will be private. Any resource within the VPC or subnet will also not be able to reach the internet.

To give these resources access to the internet, we need a gateway. This is where internet gateways and NAT gateways come into play. Both of them give our instances access to the internet, but only one of them (the internet gateway) allows access from the outside to our resources.

Internet gateways (IGWs)

An internet gateway (IGW) allows our VPC resources like EC2 instances to reach the internet and be reached from the internet.

An internet gateway is always created per VPC and manages the NAT between public IP addresses (reachable from the internet) and private IP addresses within our VPC. If we allocate a public IP address to an EC2 instance within our VPC, the internet gateway will make sure that traffic for this public IP address will reach the correct EC2 instance within the VPC. We call this inbound traffic.

It also enables outbound traffic to the internet from within our VPC, so if our EC2 instance wants to download a software update from the internet, it will create an outbound request to the update server. Again, the internet gateway will make sure that this request from our EC2 instance can reach the update server on the internet.

NAT gateways

A NAT gateway is very similar to an internet gateway, but we could consider a NAT ...