AWS VPC - Internet Gateway vs. NAT [closed]
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers. We don’t allow questions about professional server or networking-related infrastructure administration on Stack Overflow. You can edit the question so it’s on-topic for Stack Overflow. Closed 4 years ago. The community reviewed whether to reopen this question last month and left it closed: Original close reason(s) were not resolved Improve this question
What is an Internet Gateway? What is a NAT Instance? What services do they offer?
Reading AWS VPC documentation, I gather they both map private IP addresses to internet route-able addresses for the outgoing requests and route the incoming responses from the internet to the requester on the subnet.
So what are the differences between them? What scenarios do I use a NAT Instance instead of (or besides) an Internet Gateway? Are they essentially EC2 instances running some network applications or are they special hardware like a router?
Instead of simply pointing to AWS documentation links, can you please explain these with adding some background on what is public and private subnets so any beginner with limited knowledge of networking can understand these easily? Also when should I use a NAT Gateway instead of a NAT instance?
P.S. I am new to AWS VPC, so I might be comparing apples to oranges here.
Internet Gateway
An Internet Gateway is a logical connection between an Amazon VPC and the Internet. It is not a physical device. Only one can be associated with each VPC. It does not limit the bandwidth of Internet connectivity. (The only limitation on bandwidth is the size of the Amazon EC2 instance, and it applies to all traffic -- internal to the VPC and out to the Internet.)
If a VPC does not have an Internet Gateway, then the resources in the VPC cannot be accessed from the Internet (unless the traffic flows via a corporate network and VPN/Direct Connect).
A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway.
NAT Instance
A NAT Instance is an Amazon EC2 instance configured to forward traffic to the Internet. It can be launched from an existing AMI, or can be configured via User Data like this:
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 0.0.0.0/0 -j MASQUERADE
/sbin/iptables-save > /etc/sysconfig/iptables
mkdir -p /etc/sysctl.d/
cat <<EOF > /etc/sysctl.d/nat.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.send_redirects = 0
EOF
Instances in a private subnet that want to access the Internet can have their Internet-bound traffic forwarded to the NAT Instance via a Route Table configuration. The NAT Instance will then make the request to the Internet (since it is in a Public Subnet) and the response will be forwarded back to the private instance.
Traffic sent to a NAT Instance will typically be sent to an IP address that is not associated with the NAT Instance itself (it will be destined for a server on the Internet). Therefore, it is important to turn off the Source/Destination Check option on the NAT Instance otherwise the traffic will be blocked.
NAT Gateway
AWS introduced a NAT Gateway Service that can take the place of a NAT Instance. The benefits of using a NAT Gateway service are:
It is a fully-managed service -- just create it and it works automatically, including fail-over
It can burst up to 10 Gbps (a NAT Instance is limited to the bandwidth associated with the EC2 instance type)
However:
Security Groups cannot be associated with a NAT Gateway
You'll need one in each AZ since they only operate in a single AZ
As far as NAT gateway vs. NAT instance, either will work. A NAT instance can be a little cheaper, but the NAT gateway is fully managed by AWS, so it has the advantage of not needing to maintain an EC2 instance just for NATing.
However, for the instances that need to be available to the Internet, NAT gateway/instances aren't what you are looking for. A NAT will allow private instances (without a public IP) to access the Internet, but not the other way around. So, for the EC2 instances that need to be available to the Internet, you need to assign a public IP. There is a workaround if you really need to keep the EC2 instances private - you can use an elastic load balancer to proxy the requests.
Internet Gateways
The Internet Gateway is how your VPC connects to the internet. You use an Internet Gateway with a route table to tell the VPC how internet traffic gets to the internet.
An Internet Gateway appears in the VPC as just a name. Amazon manages the gateway and there's nothing you really have a say in (other than to use it or not; remember that you might want a completely segmented subnet that cannot access the internet at all).
A public subnet means a subnet that has internet traffic routed through AWS's Internet Gateway. Any instance within a public subnet can have a public IP assigned to it (e.g. an EC2 instance with "associate public ip address" enabled).
A private subnet means the instances are not publicly accessible from the internet. They do NOT have a public IP address. For example, you cannot access them directly via SSH. Instances on private subnets may still access the internet themselves though (i.e. by using a NAT Gateway).
Internet gateway is used to connect a vpc to the internet and NAT gateway is used to connect the Private subnet to the internet(which means what ever traffic is coming to private subnet instance which will forward to the NAT gateway). you need to forward the traffic in the route table to NAT
Route table 0.0.0.0/0
Follow WeChat
Success story sharing
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.. From the description I get the impression that it is an actual hardware device, but managed by AWS. Please correct me if my understanding is off.