Nat Gateway In Private Subnet

DevOps
1

Hi, Anyone can explain me if we have nat-gateway in private subnet with public nat-gateway, how this works?

1 Like
2

  • NAT Gateway (NGW) allows instances with no public IPs to access the internet.

  • A NAT Gateway receives traffic from a VPC, forwards it to the Internet and then returns the response that was received. It must live in a public subnet because it needs to communicate with the Internet (and therefore needs a route to the Internet Gateway).

  • Resources in a private subnet (which, by definition, cannot route to the Internet Gateway) will have their Internet-bound requests sent to the NAT Gateway (due to a Route Table configuration). The NAT Gateway will then forward that request to the Internet and return the response that was received from the Internet.

  • NAT Gateways exist because organizations want the additional security offered by private subnets, which guarantee that there is no inbound access from the Internet. Both Security Groups and Network ACLs provide additional layers of security, with Security Groups operating at instance level (stateful) and NACLs at subnet level (stateless). Private subnets with NAT Gateways provide an additional layer of network isolation.

  • NAT Gateway (NGW) is a managed Network Address Translation (NAT) service.

  • NAT Gateway does something similar to Internet Gateway (IGW), but it only works one way: Instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

  • NAT Gateway only supports IPv4 traffic. For IPv6, use an egress-only Internet Gateway.

  • NAT Gateway supports TCP, UDP, and ICMP protocols, with some limitations on ICMP (specifically supports ICMP responses like destination unreachable, but not all ICMP types).

  • Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. Each NAT Gateway has a bandwidth capacity of up to 45 Gbps and can automatically scale up to 100 Gbps.

  • If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access.

  • To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone (recommended for production workloads).

  • There are two types of NAT Gateways:

    • Public NAT Gateway - requires exactly one Elastic IP address
    • Private NAT Gateway - doesn’t use an Elastic IP address

  • For NAT Gateway pricing, you are charged for:

    • NAT Gateway hourly usage
    • Data processing charges per GB
    • Data transfer charges
    • Elastic IP address charges (if the NAT Gateway is not in use)
1 Like
3

@sajini Is it possible to review and check the statements