Private IP Addresses–available publicly–AWS NATting

Within the VPC (logical partition of the AWS public cloud), you can define your desired IP address range, create subnets, configure route tables, and so forth.

You can also connect tot the VPC using a VPG (Virtual Private Gateway).  You can use the VPG  to connect from existing on-premises network using a hardware Virtual Private Network (VPN) connection.

The Challenge

A network challenge arises when EC2 instances in a private VPC subnet need to connect to the public Internet.

Since the subnet is private, the IP addresses assigned to the instances are not publicly accessible.   This is where NATs help out  – a NAT can map the private IP address to a public address on the way out – and  map the public IP address to the private address on the way back.

Step 1 –Create an AWS Managed NAT Gateway

Performing this translation at scale can be challenging. In order to simplify this task, AWS offers a Managed NAT Gateway.

Each NAT gateway that you create can handle up to 10 Gbps of bursty TCP, UDP, and ICMP traffic, and is managed by Amazon. You control the public IP address by assigning an Elastic IP Address when you create the gateway.


Step 2 – Edit your Routing table to use the NAT Gateway

You need to now edit your VPC’s route tables to send traffic destined for the Internet to the NAT gateway.

The gateway’s internal (private) IP address will be chosen automatically, and will be on the subnet associated with the gateway. Here’s a sample route table:



What about NAT Instances?

NAT Instances are different from NAT Gateways – and can be used to accomplish the same thing. A NAT Instance is a full blown EC2 instance – and as such can leverage all AWS constructs (Security Groups, Cloudwatch, port forwarding etc..).  However, they each have their strengths and weaknesses.


Your home Wireless Network is a very basic example of how NATting works.  Your Cable router is basically a NAT router with single public IP on its external interface and several  private IPs on the internal interface.

AWS offers a couple of different options for providing NATting from your internal VPC subnets to external internet IPs. NAT Gateways and NAT Instances can both be used to provide this Private IN—>Public OUT routing.

Cloud Advisory Services | Security Advisory Services | Data Science Advisory and Research

Specializing in high volume web and cloud application architecture, Anuj Varma’s customer base includes Fortune 100 companies (, British Petroleum, Schlumberger).

All content on this site is original and owned by AdverSite Web Holdings, Inc. – the parent company of No part of it may be reproduced without EXPLICIT consent from the owner of the content.

Anuj Varma – who has written posts on Anuj Varma, Technology Architect.

Leave a Reply

Your email address will not be published. Required fields are marked *