Within the VPC (logical partition of the AWS public cloud), you can define your desired IP address range, create subnets, configure route tables, and so forth.
You can also connect tot the VPC using a VPG (Virtual Private Gateway). You can use the VPG to connect from existing on-premises network using a hardware Virtual Private Network (VPN) connection.
A network challenge arises when EC2 instances in a private VPC subnet need to connect to the public Internet.
Since the subnet is private, the IP addresses assigned to the instances are not publicly accessible. This is where NATs help out – a NAT can map the private IP address to a public address on the way out – and map the public IP address to the private address on the way back.
Step 1 –Create an AWS Managed NAT Gateway
Performing this translation at scale can be challenging. In order to simplify this task, AWS offers a Managed NAT Gateway.
Each NAT gateway that you create can handle up to 10 Gbps of bursty TCP, UDP, and ICMP traffic, and is managed by Amazon. You control the public IP address by assigning an Elastic IP Address when you create the gateway.
Step 2 – Edit your Routing table to use the NAT Gateway
You need to now edit your VPC’s route tables to send traffic destined for the Internet to the NAT gateway.
The gateway’s internal (private) IP address will be chosen automatically, and will be on the subnet associated with the gateway. Here’s a sample route table:
What about NAT Instances?
NAT Instances are different from NAT Gateways – and can be used to accomplish the same thing. A NAT Instance is a full blown EC2 instance – and as such can leverage all AWS constructs (Security Groups, Cloudwatch, port forwarding etc..). However, they each have their strengths and weaknesses.
Your home Wireless Network is a very basic example of how NATting works. Your Cable router is basically a NAT router with single public IP on its external interface and several private IPs on the internal interface.
AWS offers a couple of different options for providing NATting from your internal VPC subnets to external internet IPs. NAT Gateways and NAT Instances can both be used to provide this Private IN—>Public OUT routing.