What is it?

A NAT Gateway (Network Address Translation Gateway) is a highly available and scalable service that enables instances in a private subnet to access the internet or other AWS services while preventing the internet from initiating a connection to those instances. Unlike an Internet Gateway, which allows inbound and outbound traffic, a NAT Gateway is only for outbound internet access.

Key Concepts:

1. Outbound Internet Access:
   • NAT Gateway allows instances in private subnets to connect to the internet (for tasks like software updates or downloading patches) without exposing the instances to inbound connections from the internet.
2. Public vs Private Subnets:
   • Typically, the NAT Gateway is placed in a public subnet with access to an Internet Gateway, while instances that use the NAT Gateway are in private subnets.
3. Managed by AWS:
   • NAT Gateway is fully managed by AWS, providing automatic scaling and redundancy within an Availability Zone (AZ).

Important Points:

1. Private Subnets Accessing the Internet:
   • Instances in private subnets don’t have public IP addresses but can still access the internet through the NAT Gateway.
2. High Availability:
   • NAT Gateways are resilient within an AZ but are AZ-specific, meaning that if you want redundancy across multiple AZs, you must create a NAT Gateway in each AZ and configure your route tables accordingly.
3. Stateless Service:
   • NAT Gateway does not track connections (stateless), so return traffic for outbound connections is automatically allowed.
4. Elastic IP Requirement:
   • A NAT Gateway requires an Elastic IP address to be reachable by the internet.
5. Billing:
   • You are billed for each hour that your NAT Gateway is running and for the amount of data processed through the gateway.

Best Used For:

• Private Subnets Needing Internet Access:
  • If your private EC2 instances need access to the internet (e.g., to install software updates), you should use a NAT Gateway.
• Avoiding Public Exposure:
  • Use NAT Gateways to prevent private instances from being assigned public IPs while still giving them the ability to access the internet for outbound traffic.

Best Practices: