AWS VPC - What is the difference between Internet Gateway NAT

Question

What is an Internet Gateway? What is a NAT Instance? What services do they offer?
After reading AWS VPC documentation, I observed that they both map private IP addresses to internet route-able addresses for the outgoing requests and then they route the incoming responses of the internet to the requester on the subnet.

So what are the differences between them? What scenarios do I use a NAT Instance instead of (or beside) an Internet Gateway? Are they essentially EC2 instances running some network applications or are they special hardware like a router?

Instead of simply pointing to AWS documentation links, can anyone please explain these by adding some background on what is public and private subnets so any amateur with limited knowledge of networking can understand these easily? Also, when should I use a NAT Gateway instead of a NAT instance?

The difference is that with NAT(and NAT GW) you can make a request to the internet(if configured) and get a response but the internet cannot initiate a connection to your VPN, with the internet Gateway it can — Jul 19, 2020

Flying geek · Answer 1 · Apr 24, 2018

Best answer

Internet Gateway

An Internet Gateway is a logical connection between an Amazon VPC and the Internet. It is nota physical device. Only one can be associated with each VPC. It does not limit the bandwidth of Internet connectivity. (The only limitation on bandwidth is the size of the Amazon EC2 instance, and it applies to all traffic -- internal to the VPC and out to the Internet.)

If a VPC does not have an Internet Gateway, then the resources in the VPC cannot be accessed from the Internet (unless the traffic flows via a corporate network and VPN/Direct Connect).

A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway.

You can learn more about this in the AWS Training.

NAT Instance

A NAT Instance is an Amazon EC2 instance configured to forward traffic to the Internet. It can be launched from an existing AMI, or can be configured via User Data like this:

#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 0.0.0.0/0 -j MASQUERADE
/sbin/iptables-save > /etc/sysconfig/iptables
mkdir -p /etc/sysctl.d/
cat <<EOF > /etc/sysctl.d/nat.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.send_redirects = 0
EOF

Instances in a private subnet that want to access the Internet can have their Internet-bound traffic forwarded to the NAT Instance via a Route Table configuration. The NAT Instance will then make the request to the Internet (since it is in a Public Subnet) and the response will be forwarded back to the private instance.

Traffic sent to a NAT Instance will typically be sent to an IP address that is not associated with the NAT Instance itself (it will be destined for a server on the Internet). Therefore, it is important to turn off the Source/Destination Check option on the NAT Instance otherwise the traffic will be blocked.

NAT Gateway

AWS introduced a NAT Gateway Service that can take the place of a NAT Instance. The benefits of using a NAT Gateway service are:

It is a fully-managed service -- just create it and it works automatically, including fail-over
It can burst up to 10 Gbps (a NAT Instance is limited to the bandwidth associated with the EC2 instance type)

However:

Security Groups cannot be associated with a NAT Gateway
You'll need one in each AZ since they only operate in a single AZ

For a more detailed demarcation and a simplified explanation, check this out https://www.youtube.com/watch?v=XjPUyGKRjZs

You can also check AWS SysOps training to learn more.

answered Apr 24, 2018 by Flying geek
• 3,280 points
edited Jul 10, 2023 by Khan Sarfaraz

This Answer does tell what is the signifiant of IGW and NAt, but it does not tell why we can't use NAT instead of IGW or vice vera since both will help Instances to access Internet.

commented Apr 20, 2020 by anonymous

You can think in this way, say you have two subnets. You launch instances in both the subnets. Now if you attach IGW in of the subnets, that subnet becomes public. It means outside world can connect to that subnet. Means your instance is accessible from outside and your instance can connect to the outside world.

But if you have a requirement that outside world will not able to connect to your instance, then that time you have to use NAT in your subnet and your subnet becomes private subnet. So every instance on that subnet can connect to the outside world but outside world will not able to connect to your instances.

commented Apr 20, 2020 by MD
• 95,460 points

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and
it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

commented Jul 10, 2020 by Archana Baldwa

edited Jul 10, 2020 by Gitika

Let me add one more thing to this answer. NAT instances are old stuff. you should not use NAT instance if you can. NAT Gateway is highly available- not just one instance once you add it across multiple AZs. NAT Instance is an individual EC2 instance and therefore a single point of failure.

commented Nov 2, 2020 by Bimal

findingbugs · Answer 2 · Aug 2, 2018

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and
it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

Get ready to level up your skills as an AWS Developer! Join our comprehensive AWS Developer Associate certification Course!

answered Aug 2, 2018 by findingbugs
• 4,780 points

Khan Sarfaraz · Answer 3 · Nov 27, 2018

An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

Hope this helps!

Check out this AWS DevOps Certification to become an expert.

Thanks!

answered Nov 27, 2018 by Shuvodip Ghosh

edited Jul 10, 2023 by Khan Sarfaraz

score +1 · Answer 4 · Nov 27, 2018

A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances while Internet Gateway is used to allow resources in your VPC to access internet.

answered Nov 27, 2018 by Trisha

score +1 · Answer 5 · Nov 27, 2018

The NAT instance makes it possible for instances in private subnets to access the Internet. It needs an Elastic IP, but the instances in your private subnet doesn't. If you don't use private subnets or don't have a need to enable Internet access from there, you don't need any NAT instance.

Internet Gateway is like the access door for your instances to access Internet.

score +2 · Answer 6 · Dec 10, 2018

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and
it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

score +1 · Answer 7 · Dec 10, 2018

For instances to use the IGW to access the internet they need a public IP so that the response can be routed back (basically a pass through).

While utilizing a NAT means that any of your instances regardless of public IP or not can access the internet as it is more of a proxy than a pass through.

Vardhan · Answer 8 · Feb 8, 2019

A NAT will allow private instances (without a public IP) to access the Internet, but not the other way around. So, for the EC2 instances that need to be available to theInternet, you need to assign a public IP. ... A public subnet means a subnet that hasinternet traffic routed through AWS's Internet Gateway.

score +1 · Answer 9 · Feb 8, 2019

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and
it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

Rakesh · Answer 10 · Mar 13, 2020

An Internet Gateway (IGW) allows resources within your VPC to access the internet, and vice versa. In order for this to happen, there needs to be a routing table entry allowing a subnet to access the IGW.

That is to say - an IGW allows resources within your public subnet to access the internet, and the internet to access said resources.

A NAT Gateway does something similar, but with two main differences:

It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, etc), and
it only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

varsha · Answer 11 · May 16, 2020

A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances while Internet Gateway is used to allow resources in your VPC to access internet.

Theseus · Answer 12 · Sep 23, 2020

NAT Gateways (AWS-managed) helps your VPC instances connect with the internet. These Public Subnets have a route to the internet gateway.

NAT Instances (Self-managed) allows the instances in your Private Subnets to access the internet while remaining private.

MD · Answer 13 · Dec 14, 2020

Hi,

You can think in this way, say you have two subnets. You launch instances in both the subnets. Now if you attach IGW in one of the subnets, that subnet becomes public. It means the outside world can connect to that subnet. It means your instance is accessible from outside and your instance can connect to the outside world.

But, if you have a requirement that the outside world will not able to connect to your instance, then that time you have to use NAT in your subnet and your subnet becomes a private subnet. So every instance on that subnet can connect to the outside world, but the outside world will not able to connect to your instances.

score 0 · Answer 14 · Sep 18, 2021

All the other answers miss the key points...

The main distinction between an Internet Gateway and a NAT Gateway or NAT Instance has to do with what happens for IPv6 traffic. Consider the following scenarios:

1. Private IPv4 addresses on VPC Subnet with a route to Internet Gateway. One device with public IP on the subnet and one device with only a private IP.

2. Private IPv4 + IPv6 addresses on VPN Subnet with a route to Internet Gateway. One device with Public IPv4 and an IPv6 address on the subnet and one device with a Private IPv4 and an IPv6 address on the subnet.

3. Same scenario as #1 but with a NAT Gateway or Instance instead of the Internet Gateway.

4. Same scenario as #2 but with a NAT Gateway or Instance instead of the Internet Gateway.

In scenario #1, the box with the assigned public IP can reach the Internet and the Internet can contact it directly. Also, the box with the private IP only can reach the Internet, but the Internet cannot contact it directly because it has no public IP.

In scenario #2, BOTH boxes can BOTH reach the Internet and can also be contacted directly by anyone on the Internet. The first box with the public IPv4 and an IPv6 can be contacted by the anyone on the Internet through either address. The second box with a private IPv4 and an IPv6 is still directly contactable from the IPv6 address because all IPv6 addresses are publicly routable.

In scenario #3, the NAT Gateway or Instance can provide 1-1 NAT for a box on the private subnet to make it directly reachable by someone on the Internet, but it has to be separately and specifically configured (the Internet Gateway takes care of doing that for you). By default, without manually configuring NAT to allow a host on the Internet to directly reach one of your systems behind the NAT, there is no way for them to talk directly to such a system.

In scenario #4, the same holds true as for scenario #3, regardless of IPv4 or IPv6. By default, nothing can talk to a host on the private subnet, even if there is an IPv6 address on the host. You can still go in and manually configure the NAT Gateway / Instance to allow direct connectivity, but it won't happen by default.

Also, it is worth mentioning that there is an Egress-Only Internet Gateway specifically for IPv6 which can be used to prevent inbound direct access to IPv6 hosts. This muddies the picture more as you could technically configure your VPC subnet to route IPv4 to an Internet Gateway and IPv6 to an Egress-Only Internet Gateway. In this case, if your hosts are configured to not automatically obtain public IPv4s, then all hosts would theoretically not be reachable from the Internet directly, except where you configured a specific host to pull a public IPv4. And in that case, the Internet Gateway would automatically set up the 1-1 NAT for you to make that one host reachable while all other hosts would stay unreachable.