How do I set up a NAT gateway for a private subnet in Amazon VPC?

3 minute read

I want to set up a network address translation (NAT) gateway for a private subnet in Amazon Virtual Private Cloud (Amazon VPC).

Short description

A NAT gateway allows Amazon Elastic Compute Cloud (Amazon EC2) instances to establish outbound connections to resources on the internet. Outbound connections are established without inbound connections allowed to the Amazon EC2 instance. Private IP addresses that are assigned to instances can't be used to communicate over the internet. NAT gateways use Elastic IP addresses to help private resources communicate with the internet.

Resolution

To set up a NAT gateway for a private Amazon VPC subnet, complete the following steps:

Create a public subnet to host your NAT gateway.
Create and attach an internet gateway to your Amazon VPC.
Create a custom route table for your public subnet with a route to the internet gateway.
Verify that the network access control list (ACL) for your public subnet allows inbound traffic from the private subnet. For more information, see Work with network ACLs.
Create a public NAT gateway in the public subnet. Create and associate your new or existing Elastic IP addresses as needed. For more information, see Work with Elastic IP addresses.
Update the route table of your private Amazon VPC subnet to direct internet traffic to your NAT gateway.
Ping the internet from an instance in your private Amazon VPC subnet to test your NAT gateway.

Best practices

If your resources span multiple Availability Zones (AZ) , then create one NAT gateway per AZ. This helps to avoid a single point of failure and zone data transfer charges.
Data that's transferred between Amazon EC2 and Elastic Network Interfaces in the same AZ is free. However, data that's transferred to and from Amazon EC2 and Elastic Network Interfaces across multiple AZs in the same AWS Region is charged. The charges depend on the data transfer rates for the Region.
Use AWS Trusted Advisor to check if your NAT gateways are configured with AZ independence. For resources in a specific AZ, use a NAT gateway in the same AZ. This prevents your resources in a different AZ from being affected by an outage of a NAT gateway or the gateway's associated AZ. For more information, see NAT Gateway AZ Independence.

Related information

Monitor NAT gateways with Amazon CloudWatch

Topics

Networking & Content Delivery

Relevant content

App Oauth2 Login in Private Subnet without NAT Gateway
rePost-User-6602312
asked a year ago
Is a private NAT gateway in front of a transit gateway possible?
Accepted Answer
Dean
asked 2 months ago
Ec2 instance in private subnet can send outbound traffic without NAT gateway
Rajesh Khanna B
asked a year ago
How does a private subnet know how to route to a NAT gateway in the public subnet
Accepted Answer
rePost-User-7071130
asked 9 months ago
How can EC2 Instance in Private Subnet communicate with Gmail SMTP without NAT Gateway on firewall applied environment?
rePost-User-6602312
asked a year ago
How do I migrate from a NAT instance to a NAT gateway?
AWS OFFICIALUpdated 2 years ago
How do I delete a NAT Gateway in Amazon VPC?
AWS OFFICIALUpdated 2 years ago
How do I set up an AWS Network Firewall with a NAT gateway?
AWS OFFICIALUpdated a year ago
How do I troubleshoot connectivity issues when I use NAT gateway on my private Amazon VPC?
AWS OFFICIALUpdated 6 months ago
How can we map entire AWS VPC CIDR to a single IP address using Private NAT Gateway via AWS Site to Site VPN connection.
EXPERT
Narinder Singh Kharbanda
published 9 months ago