NAT Gateway
Definition
Network Address Translation Gateway - enables private subnet resources to access the internet for outbound traffic while blocking inbound connections.
Use Cases
- Netflix: Allow private workloads in AWS to reach external services (e.g., software repositories, third-party APIs) without exposing instances to inbound internet traffic. — Runs many services in private subnets within Amazon VPCs and uses managed egress patterns (commonly including NAT for outbound-only access) so instances can fetch updates and call external endpoints while remaining non-addressable from the public internet. (Improved security posture by reducing public exposure of compute while maintaining required outbound connectivity for operations and integrations.)
- Spotify: Enable outbound connectivity from private subnets for patching and dependency downloads while keeping backend systems off the public internet. — Uses private networking for backend services and controlled egress (commonly via NAT-style outbound access) so internal services can reach external package registries and APIs without opening inbound access paths. (Reduced attack surface for backend services while preserving operational ability to update and integrate with external systems.)
- The Home Depot: Secure outbound internet access for private application tiers during cloud modernization on AWS. — Places application and data tiers in private subnets and uses managed NAT for outbound-only access to vendor endpoints and update repositories, keeping inbound access restricted to load balancers and controlled entry points. (Stronger network segmentation and safer modernization by limiting direct internet exposure of internal tiers.)
Provider Equivalents
- AWS: Amazon VPC NAT Gateway
- Azure: Azure NAT Gateway
- GCP: Cloud NAT
- OCI: NAT Gateway
Frequently Asked Questions
- What's the difference between a NAT Gateway and an Internet Gateway?
- An Internet Gateway (IGW) enables resources with public IPs to have direct two-way internet connectivity (inbound and outbound, depending on security rules). A NAT Gateway is for outbound-only internet access from private subnets: instances don’t need public IPs, and unsolicited inbound connections from the internet are not allowed through the NAT.
- When should I use a NAT Gateway?
- Use a NAT Gateway when resources in a private subnet must initiate outbound connections to the internet (OS updates, package downloads, calling external APIs) but should not accept inbound connections from the internet. If you don’t need internet access at all, keep the subnet fully private with no NAT. If you need inbound internet traffic, use a public-facing entry point like a load balancer or a bastion/SSM-style access pattern rather than making the instances public.
- How much does a NAT Gateway cost?
- Costs are mainly driven by (1) hourly charges for the NAT service (where applicable) and (2) data processed/egress through the NAT. You also pay standard internet egress charges from the cloud provider. Pricing varies by provider and region, so estimate based on expected uptime and outbound GB/TB, and consider architecture choices (e.g., minimizing unnecessary outbound traffic, using private endpoints for cloud services when available).
Category: networking
Difficulty: advanced
Related Terms
See Also