NAT Instances

  • NAT Gateways are more recommended.

  • You can use a NAT instance in a public subnet in your VPC to do the following:

    • Enable instances in the private subnet to initiate outbound IPv4 traffic to the internet.

    • Prevent the instances from receiving inbound traffic initiated by someone on the internet.

Disabling source/destination checks

  • The instance must be the source or destination of any traffic it sends or receives unless you disable it.

  • However, a NAT instance must be able to send and receive traffic when the source or destination is not itself, so you must disable source/destination checks.

NAT instance basics

  • Main route table is associated with the private subnet and sends the traffic from the instances in the private subnet to the NAT instance in the public subnet.

  • NAT instance then sends the traffic to the internet gateway for the VPC.

  • Traffic is attributed to the Elastic IP address of the NAT instance.

  • NAT instance specifies a high port number for the response; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.

  • Private subnet traffic is routed to the NAT instance, which then communicates with the internet.

  • So, the NAT instance must have internet access.

  • It must be in a public subnet (a subnet that has a route table with a route to the internet gateway).

  • It must have a public IP address or an Elastic IP address.

PreviousInternet Gateways & Route TablesNextNAT Gateways

Last updated