NAT Gateway vs NAT Instance: Private Subnet Internet Access Compared
NAT Gateway is managed and high-performance, NAT Instance allows customization. Compare these two methods for SAA-C03 exam with selection criteria.
Related Exam Domains
- Domain 1: Design Secure Architectures
- Domain 2: Design Resilient Architectures
Key Takeaway
NAT Gateway is an AWS managed service providing high performance without operational burden, while NAT Instance is EC2-based offering full control and cost savings. AWS recommends NAT Gateway, which is suitable for most production environments.
Exam Tip
Exam Essential: NAT Gateway = Managed + High Performance + Auto Scaling, NAT Instance = EC2 + Source/Dest Check Disabled + Manual Management
What is NAT?
NAT (Network Address Translation) is a technology that allows instances in private subnets to access the internet. External connections cannot be initiated, maintaining security.
NAT Operation:
Private Subnet Public Subnet Internet
┌─────────────┐ ┌─────────────┐ ┌─────────┐
│ EC2 Instance│ ───────> │ NAT Gateway │ ───────> │ Internet│
│ 10.0.1.10 │ │ 52.78.x.x │ │ │
└─────────────┘ └─────────────┘ └─────────┘
│ │ │
Outbound only IP Translation Inbound blocked
(Internal → External) (Private → Public)
When NAT is Needed
- Software updates from private subnets (yum, apt)
- External API calls
- Access to AWS services without VPC endpoint support
- Downloading external libraries
NAT Gateway vs NAT Instance at a Glance
| Comparison | NAT Gateway | NAT Instance |
|---|---|---|
| Management | AWS Managed | User Managed (EC2) |
| Availability | HA within AZ | Manual configuration required |
| Bandwidth | Up to 100Gbps | Depends on instance type |
| Maintenance | Auto patching | Manual patches/updates |
| Security Group | Not attachable | Attachable |
| Network ACL | Applied to subnet | Applied to subnet |
| Source/Dest Check | Handled automatically | Must disable |
| Bastion Use | Not possible | Possible |
| Port Forwarding | Not possible | Possible |
| Cost | Hourly + Data | Instance cost only |
NAT Gateway
What is NAT Gateway?
NAT Gateway is a fully managed NAT service by AWS. Setup, patching, and scaling are handled automatically, eliminating operational burden.
NAT Gateway Architecture:
VPC (10.0.0.0/16)
┌───────────────────────────────────────────────────────┐
│ │
│ Public Subnet (10.0.0.0/24) │
│ ┌─────────────────────────────────────────────────┐ │
│ │ NAT Gateway │ │
│ │ ├── Elastic IP: 52.78.x.x │ │
│ │ └── Auto scaling/recovery │ │
│ └─────────────────────────────────────────────────┘ │
│ ↑ │
│ │ Routing (0.0.0.0/0 → nat-xxx) │
│ │ │
│ Private Subnet (10.0.1.0/24) │
│ ┌─────────────────────────────────────────────────┐ │
│ │ EC2 Instances │ │
│ │ (Internet outbound only) │ │
│ └─────────────────────────────────────────────────┘ │
│ │
└───────────────────────────────────────────────────────┘
│
↓
Internet Gateway → Internet
NAT Gateway Types
1. Public NAT Gateway (Default)
Purpose: Private subnet → Internet access
Requirements:
├── Created in public subnet
├── Elastic IP required
└── Internet Gateway routing needed
2. Private NAT Gateway
Purpose: VPC-to-VPC or on-premises connection (no internet)
Requirements:
├── Can be created in private subnet
├── No Elastic IP needed
└── Routing via Transit Gateway/VPN
NAT Gateway Features
| Feature | Description |
|---|---|
| Bandwidth | Default 5Gbps, auto-scales to 100Gbps |
| Availability | Redundancy within AZ, automatic failover |
| Maintenance | Patches and updates handled automatically |
| Protocols | TCP, UDP, ICMP supported |
| Connection Tracking | Up to 10 million concurrent connections |
NAT Gateway Setup Steps
1. Select public subnet
↓
2. Allocate Elastic IP (for public NAT Gateway)
↓
3. Create NAT Gateway
↓
4. Modify private subnet route table:
Destination: 0.0.0.0/0 → Target: nat-xxxxxxxx
High Availability Configuration
NAT Gateway provides high availability only within a single AZ. For multi-AZ resilience, deploy a NAT Gateway in each AZ.
Multi-AZ High Availability:
AZ-a AZ-b
┌─────────────────────┐ ┌─────────────────────┐
│ Public Subnet │ │ Public Subnet │
│ ┌─────────────────┐ │ │ ┌─────────────────┐ │
│ │ NAT Gateway A │ │ │ │ NAT Gateway B │ │
│ └─────────────────┘ │ │ └─────────────────┘ │
│ ↑ │ │ ↑ │
│ Private Subnet A │ │ Private Subnet B │
│ ┌─────────────────┐ │ │ ┌─────────────────┐ │
│ │ EC2 Instances │ │ │ │ EC2 Instances │ │
│ │ (RT: 0.0.0.0/0 │ │ │ │ (RT: 0.0.0.0/0 │ │
│ │ → NAT GW A) │ │ │ │ → NAT GW B) │ │
│ └─────────────────┘ │ │ └─────────────────┘ │
└─────────────────────┘ └─────────────────────┘
Exam Tip
Exam Point: For "NAT Gateway single AZ failure causes internet access loss" scenarios, deploy NAT Gateway in each AZ is the answer.
NAT Instance
What is NAT Instance?
NAT Instance is an EC2 instance configured to perform NAT. You have full control but must manage it yourself.
NAT Instance Required Settings
1. Disable Source/Destination Check
EC2 instances by default reject traffic where they are not the source/destination. NAT Instance must relay traffic from other instances, so this check must be disabled.
Disable in EC2 Console:
Select Instance → Actions → Networking →
Change source/destination check → Stop
2. Place in Public Subnet
NAT Instance:
├── Located in public subnet
├── Public IP or Elastic IP required
└── Internet Gateway routing needed
3. Security Group Configuration
Inbound:
├── HTTP (80): Private subnet CIDR
├── HTTPS (443): Private subnet CIDR
└── Other required ports
Outbound:
└── All traffic: 0.0.0.0/0
NAT Instance Pros and Cons
Pros:
- Cost savings (low traffic environments)
- Full customization
- Can double as Bastion Host
- Port forwarding possible
- Security group attachable
Cons:
- Manual HA configuration (Auto Scaling, scripts)
- Bandwidth limited by instance type
- Manual patches/updates
- Must disable Source/Dest Check
NAT Instance Architecture Example
NAT Instance Architecture:
Private Subnet Public Subnet
┌─────────────────┐ ┌─────────────────┐
│ EC2 (App) │ ─────────> │ NAT Instance │
│ 10.0.1.10 │ │ 10.0.0.10 │
│ │ │ EIP: 52.78.x.x │
│ RT: 0.0.0.0/0 │ │ │
│ → NAT Instance │ │ S/D Check: OFF │
└─────────────────┘ └─────────────────┘
│
↓
Internet Gateway
│
↓
Internet
Exam Tip
Exam Point: For "NAT Instance not working" problems, verify Source/Destination Check is disabled is the key.
Cost Comparison
NAT Gateway Cost (Seoul Region)
NAT Gateway Cost Structure:
├── Hourly rate: $0.059/hour
├── Data processing: $0.059/GB
└── Monthly estimate (1TB traffic):
Hourly: $0.059 × 730 hours = $43.07
Data: $0.059 × 1,024GB = $60.42
Total: ~$103/month (per AZ)
NAT Instance Cost (Seoul Region)
t3.nano:
├── Instance: ~$0.0052/hour × 730 = ~$3.80/month
├── Elastic IP (free when attached)
└── Total: ~$4/month
t3.micro:
├── Instance: ~$0.0104/hour × 730 = ~$7.59/month
└── Total: ~$8/month
Cost Selection Guide
| Traffic Level | Recommended | Reason |
|---|---|---|
| Low traffic (< 10GB/month) | NAT Instance (t3.nano) | 90%+ cost savings |
| Medium traffic | Depends | Compare management cost vs instance cost |
| High traffic | NAT Gateway | Performance and stability needed |
| Production | NAT Gateway | Minimize operational burden |
Selection Criteria Guide
When to Choose NAT Gateway
- Production environments: Stability and auto-recovery needed
- High bandwidth needs: 5Gbps or more
- Minimize operations: No patching or monitoring required
- Quick setup: Complete in minutes
- AWS recommended: Most use cases
When to Choose NAT Instance
- Cost priority: Dev/test environments
- Low traffic: Less than a few GB per month
- Customization needed: Special monitoring, logging
- Bastion Host combo: One instance for both roles
- Port forwarding needed: Specific port redirection
Scenario-Based Solutions
Scenario 1: Production Web Application
Requirements: High availability, auto scaling, minimal operations
Choice: NAT Gateway (deploy in each AZ)
Reason: Managed service, AZ failure resilience
Scenario 2: Dev/Test Environment
Requirements: Minimize cost, intermittent use
Choice: NAT Instance (t3.nano)
Reason: $4/month vs $100+ cost difference
Scenario 3: Bastion + NAT Combined
Requirements: Need both Bastion Host and NAT
Choice: NAT Instance
Reason: NAT Gateway doesn't allow SSH access
Scenario 4: High-Bandwidth Data Transfer
Requirements: Large data backups, high-speed transfer
Choice: NAT Gateway
Reason: Auto-scales up to 100Gbps
Scenario 5: VPC-to-VPC Private Connection
Requirements: Communicate with other VPC without internet
Choice: Private NAT Gateway
Reason: Integrates with Transit Gateway, no internet traversal
SAA-C03 Exam Focus Points
- ✅ NAT Gateway characteristics: Managed, auto-scaling, HA within AZ
- ✅ NAT Instance required setting: Disable Source/Destination Check
- ✅ High availability: Deploy NAT Gateway in each AZ
- ✅ Security groups: NAT Gateway doesn't support, NAT Instance does
- ✅ Bastion combo: Only NAT Instance possible
- ✅ Cost: NAT Instance cheaper for low traffic
Exam Tip
Sample Exam Question: "EC2 instances in a private subnet cannot connect to the internet. The NAT Instance is correctly configured and the route table is accurate. What is the cause?" → Answer: NAT Instance's Source/Destination Check is enabled
Frequently Asked Questions
Q: Can I attach a security group to NAT Gateway?
No. NAT Gateway doesn't support security groups. Instead, use Network ACLs to control traffic for the subnet where NAT Gateway is located. NAT Instance supports security group attachment.
Q: What happens if NAT Gateway goes down?
The private subnet in that AZ loses internet access. NAT Gateway provides high availability only within a single AZ. For multi-AZ resilience, deploy NAT Gateway in each AZ with separate route tables.
Q: How do I migrate from NAT Instance to NAT Gateway?
Step 1: Create NAT Gateway in the same subnet Step 2: Update route table target from NAT Instance to NAT Gateway Step 3: Terminate NAT Instance after verifying connectivity
Q: What's the difference between NAT Gateway and Internet Gateway?
- Internet Gateway: Bidirectional internet communication for public subnet instances
- NAT Gateway: Outbound only internet access for private subnet instances
Q: When should I use Private NAT Gateway?
For VPC-to-VPC or on-premises connections. For example, it's useful for translating IP addresses when communicating between two VPCs with overlapping CIDR blocks. Not used for internet access.
Q: How do I improve NAT Instance performance?
Choose a larger instance type. Network bandwidth is determined by instance type. Also, using instances that support Enhanced Networking (ENA) provides higher network performance.
Related Posts
- VPC Basics: CIDR, Subnets, Route Tables
- Security Groups vs NACLs
- VPC Endpoints: Interface vs Gateway