# NAT Instances

* **NAT Gateways are more recommended**.<br>
* You can use a NAT instance in a **public subnet** in your VPC to do the following:
  * **Enable instances in the private subnet to initiate outbound IPv4 traffic to the internet**.
  * **Prevent the instances from receiving inbound traffic** initiated by someone on the internet.

## Disabling source/destination checks

* The **instance must be the source or destination of any traffic it sends or receives** unless you disable it.
* However, a **NAT instance must be able to send and receive traffic when the source or destination is not itself**, so you must disable source/destination checks.

## NAT instance basics

* **Main route table is associated with the private subnet** and sends the traffic from the instances in the private subnet to the NAT instance in the public subnet.<br>

* NAT instance then sends the traffic to the internet gateway for the VPC.<br>

* **Traffic is attributed to the Elastic IP address** of the NAT instance.<br>

* **NAT instance specifies a high port number for the response**; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.

* **Private subnet traffic is routed to the NAT instance**, which then communicates with the internet.<br>

* So, the **NAT instance must have internet access**.<br>

* It **must be in a public subnet** (a subnet that has a route table with a route to the internet gateway).<br>

* It **must have a public IP address or an Elastic IP address**.

![](https://4079160698-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOmHH1M7R1RV5MGm4F7%2F-MPFCKk1bvmx9RhM7sJ2%2F-MPFdwTuvFbR9GyV1MhC%2Fimage.png?alt=media\&token=a87ee522-bc49-4180-b011-b22b1295d430)