Question

What is an Internet Gateway? What is a NAT Instance? What services do they offer?
After reading AWS VPC documentation, I observed that they both map private IP addresses to internet route-able addresses for the outgoing requests and then they route the incoming responses of the internet to the requester on the subnet.

So what are the differences between them? What scenarios do I use a NAT Instance instead of (or beside) an Internet Gateway? Are they essentially EC2 instances running some network applications or are they special hardware like a router?

Instead of simply pointing to AWS documentation links, can anyone please explain these by adding some background on what is public and private subnets so any amateur with limited knowledge of networking can understand these easily? Also, when should I use a NAT Gateway instead of a NAT instance?

Comments

The difference is that with NAT(and NAT GW) you can make a request to the internet(if configured) and get a response but the internet cannot initiate a connection to your VPN, with the internet Gateway it can

Answer 1

Internet Gateway

An Internet Gateway is a logical connection between an Amazon VPC and the Internet. It is nota physical device. Only one can be associated with each VPC. It does not limit the bandwidth of Internet connectivity. (The only limitation on bandwidth is the size of the Amazon EC2 instance, and it applies to all traffic -- internal to the VPC and out to the Internet.)

If a VPC does not have an Internet Gateway, then the resources in the VPC cannot be accessed from the Internet (unless the traffic flows via a corporate network and VPN/Direct Connect).

A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway.

You can learn more about this in the AWS Training. 

NAT Instance

A NAT Instance is an Amazon EC2 instance configured to forward traffic to the Internet. It can be launched from an existing AMI, or can be configured via User Data like this:

#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 0.0.0.0/0 -j MASQUERADE
/sbin/iptables-save > /etc/sysconfig/iptables
mkdir -p /etc/sysctl.d/
cat <<EOF > /etc/sysctl.d/nat.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.send_redirects = 0
EOF

Instances in a private subnet that want to access the Internet can have their Internet-bound traffic forwarded to the NAT Instance via a Route Table configuration. The NAT Instance will then make the request to the Internet (since it is in a Public Subnet) and the response will be forwarded back to the private instance.

Traffic sent to a NAT Instance will typically be sent to an IP address that is not associated with the NAT Instance itself (it will be destined for a server on the Internet). Therefore, it is important to turn off the Source/Destination Check option on the NAT Instance otherwise the traffic will be blocked.

NAT Gateway

AWS introduced a NAT Gateway Service that can take the place of a NAT Instance. The benefits of using a NAT Gateway service are:

• It is a fully-managed service -- just create it and it works automatically, including fail-over
• It can burst up to 10 Gbps (a NAT Instance is limited to the bandwidth associated with the EC2 instance type)

However:

• Security Groups cannot be associated with a NAT Gateway
• You'll need one in each AZ since they only operate in a single AZ

For a more detailed demarcation and a simplified explanation, check this out  https://www.youtube.com/watch?v=XjPUyGKRjZs

You can also check AWS SysOps training to learn more.

Comments

This Answer does tell what is the signifiant of IGW and NAt, but it does not tell why we can't use NAT instead of IGW or vice vera since both will help Instances to access Internet.

---

You can think in this way, say you have two subnets. You launch instances in both the subnets. Now if you attach IGW in of the subnets, that subnet becomes public. It means outside world can connect to that subnet. Means your instance is accessible from outside and your instance can connect to the outside world.

But if you have a requirement that outside world will not able to connect to your instance, then that time you have to use NAT in your subnet and your subnet becomes private subnet. So every instance on that subnet can connect to the outside world but outside world will not able to connect to your instances.

---

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

1. It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and

2. it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

---

Let me add one more thing to this answer. NAT instances are old stuff.  you should not use NAT instance if you can. NAT Gateway is highly available- not just one instance once you add it across multiple AZs. NAT Instance is an individual EC2 instance and therefore a single point of failure.

Answer 2

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

1. It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and

2. it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

Get ready to level up your skills as an AWS Developer! Join our comprehensive AWS Developer Associate certification Course!

Answer 3

An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

Hope this helps!

Check out this AWS DevOps Certification to become an expert.

Thanks!

Answer 4

A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances while Internet Gateway is used to allow resources in your VPC to access internet.

Answer 5

You can use a NAT instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet, this will prevent the instances from receiving inbound traffic initiated by someone on the Internet.

While Internet gateway is used to allow objects in your VPC to access internet.

Answer 6

You can refer to the below documentation from Amazon.

Here you can understand briefly about NAT Instances and how to setup a NAT Instance.

Answer 7

The NAT instance makes it possible for instances in private subnets to access the Internet. It needs an Elastic IP, but the instances in your private subnet doesn't. If you don't use private subnets or don't have a need to enable Internet access from there, you don't need any NAT instance.

Internet Gateway is like the access door for your instances to access Internet.

Answer 8

You can see a brief difference between NAT Instance and NAT Gateway here in the documentation provided by Amazon

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html

Answer 9

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

1. It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and

2. it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

Answer 10

For instances to use the IGW to access the internet they need a public IP so that the response can be routed back (basically a pass through).

While utilizing a NAT means that any of your instances regardless of public IP or not can access the internet as it is more of a proxy than a pass through.

Answer 11

A NAT will allow private instances (without a public IP) to access the Internet, but not the other way around. So, for the EC2 instances that need to be available to theInternet, you need to assign a public IP. ... A public subnet means a subnet that hasinternet traffic routed through AWS's Internet Gateway.

Answer 12

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

1. It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and

2. it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

Answer 13

IGW applied in VPC level  whereas NGW is applied at instance level

Answer 14

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

1. It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and

2. it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

Answer 15

A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances while Internet Gateway is used to allow resources in your VPC to access internet.

Answer 16

NAT Gateways (AWS-managed) helps your VPC instances connect with the internet. These Public Subnets have a route to the internet gateway.

NAT Instances (Self-managed) allows the instances in your Private Subnets to access the internet while remaining private.

Answer 17

Hi,

You can think in this way, say you have two subnets. You launch instances in both the subnets. Now if you attach IGW in one of the subnets, that subnet becomes public. It means the outside world can connect to that subnet. It means your instance is accessible from outside and your instance can connect to the outside world.

But, if you have a requirement that the outside world will not able to connect to your instance, then that time you have to use NAT in your subnet and your subnet becomes a private subnet. So every instance on that subnet can connect to the outside world, but the outside world will not able to connect to your instances.