NAT Gateway

Implementation of NAT Gateway

Exam Objective

The topic “NAT Gateway” addresses the Design and Implementation of AWS Networks as highlighted in the AWS Blueprint for the exam guide

What is NAT Gateway?

This is an appliance which is used to connect instances in your private subnet to the internet. So rather than exposing the private instances in the private subnet directly via the Internet gateway, all the traffic can be routed via the NAT gateway.

Now one can also use the NAT instance to drive traffic from private instances. But using the NAT gateway over NAT instances has the following advantages:

1) High availability – NAT gateways in each Availability Zone are implemented with redundancy. Hence it can always be ensured that it will be up and running. With the NAT instance, you have the additional maintenance overhead to ensuring the NAT instance is always up and running.

2) Bandwidth – By default, the NAT gateway supports bursts of up to 10 Gbps. For NAT Instances, this will depend on the Instance type of the Instance.

3) Maintenance – All of the maintenance of the NAT gateway is performed by AWS. In comparison, if you had a NAT instance, you would need to perform all the maintenance

Some of the reasons why you would want to use a NAT instance are in situations where you would want

1) The NAT instance to also be a Bastion Host

2) For the NAT instance to also provide port forwarding

[divider /]

AWS Certified Advanced Networking Speciality

[divider /]

Implementation of NAT Gateway

Step 1) Firstly let’s ensure we have a custom VPC defined for this exercise. If you don’t have one, go ahead and create a custom VPC.

          NAT Gateway

In our example, we have created a Custom VPC which has a CIDR block of

Step 2) Next let’s ensure we have defined 2 subnets in this VPC. One will be a public subnet and the other will be a private subnet.

So below is the snapshot of the private subnet

Private Subnet

And below is the definition of the public subnet

Public Subnet

Step 3) We will also ensure that we define a custom route table a shown below and attach it to the Public Subnet

Public Subnet - NAT Gateway

And below will be the Main route table which will be attached to the VPC and Private subnet

Private Subnet - NAT Gateway

Step 4) Next let’s go ahead and define 2 EC2 Instances. One in the private subnet and the other in the public subnet.

We will use the AMI type of Ubuntu and the Instance Type of t2.micro.

Here are both of the servers in the up and running state

NAT Instance

For the Private server, ensure the Security Group allows for incoming requests from the public server and the NAT gateway.

NAT Gateway Private IP

Here we mention the private IP of the public server for Internal SSH and the private IP of the NAT gateway for Internet access.

Step 5) Next we need to create the NAT gateway

Go ahead to the VPC section and create the NAT gateway.

VPC Dashboard

In the definition, just choose the Subnet which is the public subnet. If you don’t have an Elastic IP, you can create a new one via this screen.

Create NAT Gateway

Initially, the NAT gateway will be in the pending state as it is being provisioned.

NAT Gateway ID

Once the NAT gateway has been provisioned it will be in the available state.

NAT Gateway

Step 6) Now we need to modify the Route tables so that the Route in the main route table has a route via the NAT gateway.

NAT Gateway Routes

Step 7) Now let’s connect to the server in the public subnet. Ensure the pem key file is copied to the server so that we can connect to the private server from the public server.

Also, ensure the right permissions are given to the key pair.

NAT Gateway

Now go ahead and connect to the private server from the public server via the following command

ssh -i “awsireland.pem” ubuntu@

Step 8) To confirm that the private server can connect to the internet, update the packages on the private server

NAT Gateway

You will see that this works and this is because the private server is now connecting to the internet via the NAT gateway.

[divider /]

AWS Certified Advanced Networking Speciality

[divider /]

Important Points to Remember

  • You cannot associate Security Groups with a NAT gateway. You can associate security groups with your resources behind it to control inbound and outbound traffic.
  • You can use a network ACL to control the traffic to and from the subnet in which your NAT gateway resides.
  • The NAT gateway must be created in the public subnet
  • After creation, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet.
  • A NAT gateway supports the following protocols: TCP, UDP, and ICMP.

About Pavan Gumaste

Pavan Rao is a programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. He helps the organisation figure out what to build, ensure successful delivery, and incorporate user learning to improve the strategy and product further.

1 thought on “Implementation of NAT Gateway”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top