NAT Gateway

Definition

Network Address Translation Gateway - enables private subnet resources to access the internet for outbound traffic while blocking inbound connections.

Use Cases

Provider Equivalents

Frequently Asked Questions

What's the difference between a NAT Gateway and an Internet Gateway?
An Internet Gateway (IGW) enables resources with public IPs to have direct two-way internet connectivity (inbound and outbound, depending on security rules). A NAT Gateway is for outbound-only internet access from private subnets: instances don’t need public IPs, and unsolicited inbound connections from the internet are not allowed through the NAT.
When should I use a NAT Gateway?
Use a NAT Gateway when resources in a private subnet must initiate outbound connections to the internet (OS updates, package downloads, calling external APIs) but should not accept inbound connections from the internet. If you don’t need internet access at all, keep the subnet fully private with no NAT. If you need inbound internet traffic, use a public-facing entry point like a load balancer or a bastion/SSM-style access pattern rather than making the instances public.
How much does a NAT Gateway cost?
Costs are mainly driven by (1) hourly charges for the NAT service (where applicable) and (2) data processed/egress through the NAT. You also pay standard internet egress charges from the cloud provider. Pricing varies by provider and region, so estimate based on expected uptime and outbound GB/TB, and consider architecture choices (e.g., minimizing unnecessary outbound traffic, using private endpoints for cloud services when available).

Category: networking

Difficulty: advanced

Related Terms

See Also