NAT Gateway and NAT instance

• NAT gateways
We can use a network address translation (NAT)
gateway to enable instances in a private
subnet to connect to the internet or other
AWS services, but prevent the internet from
initiating a connection with those instances
• You are charged for creating and using a NAT
gateway in your account. NAT gateway hourly
usage and data processing rates apply. Amazon
EC2 charges for data transfer also apply. For
more information, see Amazon VPC Pricing.
• NAT gateways are not supported for IPv6 traffic
—use an outbound-only (egress-only) internet
gateway instead.
• NAT gateway basics
• To create a NAT gateway, you must specify the public subnet in which
the NAT gateway should reside
• You must also specify an Elastic IP address to associate with the NAT
gateway when you create it. The Elastic IP address cannot be changed
after you associate it with the NAT Gateway. After you've created a
NAT gateway, you must update the route table associated with one or
more of your private subnets to point internet-bound traffic to the NAT
gateway. This enables instances in your private subnets to
communicate with the internet.
• Each NAT gateway is created in a specific Availability Zone and
implemented with redundancy in that zone. You have a quota on the
number of NAT gateways you can create in an Availability Zone
• The following diagram illustrates the
architecture of a VPC with a NAT gateway. The
main route table sends internet traffic from
the instances in the private subnet to the NAT
gateway. The NAT gateway sends the traffic to
the internet gateway using the NAT gateway’s
Elastic IP address as the source IP address.
• https://docs.aws.amazon.com/vpc/latest/user
guide/vpc-nat-gateway.html
• To create a NAT gateway
• Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
• In the navigation pane, choose NAT Gateways, Create NAT Gateway.
• Specify the subnet in which to create the NAT gateway, and select the allocation ID of
an Elastic IP address to associate with the NAT gateway.
• (Optional) Add or remove a tag.
• [Add a tag] Choose Add tag and do the following:
• For Key, enter the key name.
• For Value, enter the key value.
• [Remove a tag] Choose the delete button (“x”) to the right of the tag’s Key and Value.
• Choose Create a NAT Gateway.
• The NAT gateway displays in the console. After a few moments, its status changes
to Available, after which it's ready for you to use.
• If the NAT gateway goes to a status of Failed, there was an error during creation.
• To create a route for a NAT gateway
• Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
• In the navigation pane, choose Route Tables.
• Select the route table associated with your private subnet and
choose Routes, Edit.
• Choose Add another route. For Destination, enter 0.0.0.0/0. For Target,
select the ID of your NAT gateway.
• Note
• If you're migrating from using a NAT instance, you can replace the
current route that points to the NAT instance with a route to the NAT
gateway.
• Choose Save.
• NAT instances
• You can use a network address translation
(NAT) instance in a public subnet in your VPC
to enable instances in the private subnet to
initiate outbound IPv4 traffic to the Internet or
other AWS services, but prevent the instances
from receiving inbound traffic initiated by
someone on the Internet.
• NAT instance basics
• The following figure illustrates the NAT instance basics.
The main route table is associated with the private subnet
and sends the traffic from the instances in the private
subnet to the NAT instance in the public subnet. The NAT
instance sends the traffic to the Internet gateway for the
VPC. The traffic is attributed to the Elastic IP address of the
NAT instance. The NAT instance specifies a high port
number for the response; if a response comes back, the
NAT instance sends it to an instance in the private subnet
based on the port number for the response.
• Setting up the NAT instance
• You can use the VPC wizard to set up a VPC with a NAT instance; for more information,
see VPC with public and private subnets (NAT). The wizard performs many of the
configuration steps for you, including launching a NAT instance, and setting up the
routing. However, if you prefer, you can create and configure a VPC and a NAT instance
manually using the steps below.
• Create a VPC with two subnets.
• Note
• The steps below are for manually creating and configuring a VPC; not for creating a
VPC using the VPC wizard.
– Create a VPC (see Creating a VPC)
– Create two subnets (see Creating a subnet)
– Attach an Internet gateway to the VPC (see Creating and attaching an internet gateway)
– Create a custom route table that sends traffic destined outside the VPC to the Internet gateway,
and then associate it with one subnet, making it a public subnet (see 
Creating a custom route table)
• Create the NATSG security group (see Creating the NATSG security group). You'll specify this security group when you launch
the NAT instance.
• Launch an instance into your public subnet from an AMI that's been configured to run as a NAT instance. Amazon provides
Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string amzn-ami-vpc-nat in their
names, so you can search for them in the Amazon EC2 console.
– Open the Amazon EC2 console.
– On the dashboard, choose the Launch Instance button, and complete the wizard as follows:
• On the Choose an Amazon Machine Image (AMI) page, select the Community AMIs category, and search
for amzn-ami-vpc-nat. In the results list, each AMI's name includes the version to enable you to select the most
recent AMI, for example, 2013.09. Choose Select.
• On the Choose an Instance Type page, select the instance type, then choose Next: Configure Instance Details.
• On the Configure Instance Details page, select the VPC you created from the Network list, and select your
public subnet from the Subnet list.
• (Optional) Select the Public IP check box to request that your NAT instance receives a public IP address. If you
choose not to assign a public IP address now, you can allocate an Elastic IP address and assign it to your
instance after it's launched. For more information about assigning a public IP at launch, see 
Assigning a public IPv4 address during instance launch. Choose Next: Add Storage.
• You can choose to add storage to your instance, and on the next page, you can add tags. Choose Next:
Configure Security Group when you are done.
• On the Configure Security Group page, select the Select an existing security group option, and select the
NATSG security group that you created. Choose Review and Launch.
• Review the settings that you've chosen. Make any changes that you need, and then choose Launch to choose a
key pair and launch your instance.
• Disable the SrcDestCheck attribute for the NAT instance (see 
Disabling source/destination checks)
• If you did not assign a public IP address to your NAT instance during launch
(step 3), you need to associate an Elastic IP address with it.
– Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
– In the navigation pane, choose Elastic IPs, and then choose Allocate new address.
– Choose Allocate.
– Select the Elastic IP address from the list, and then choose Actions, Associate
address.
– Select the network interface resource, then select the network interface for the
NAT instance. Select the address to associate the Elastic IP with from the Private
IP list, and then choose Associate.
• Update the main route table to send traffic to the NAT instance. For more
information, see Updating the main route table.
• https://docs.aws.amazon.com/vpc/latest/user
guide/VPC_NAT_Instance.html
• https://docs.aws.amazon.com/vpc/latest/user
guide/vpc-nat-comparison.html