AWS Networking: NAT Gateway Study Guide

For the SAA-C03 exam, understanding how private resources communicate with the outside world is critical. The AWS NAT Gateway is a highly available, managed Network Address Translation service that allows instances in a private subnet to connect to services outside your VPC (like the internet or other AWS services), but prevents external entities from initiating a connection with those instances.

The Real-World Analogy: Think of a NAT Gateway like a One-Way Security Door in a high-security building. Employees (Private EC2 instances) can push the door open to go outside to get lunch (download updates), but people outside cannot pull the door open to get inside the building.

Core Concepts & Configuration

To function correctly, a NAT Gateway must follow specific architectural rules that are frequently tested:

  • Public Subnet Placement: A NAT Gateway must be created in a public subnet (a subnet with a route to an Internet Gateway).
  • Elastic IP (EIP): You must associate an Elastic IP address with the NAT Gateway at creation.
  • Route Table Updates: You must update the route table of your private subnet to point internet-bound traffic (0.0.0.0/0) to the NAT Gateway ID (nat-xxxxxxxx).
  • Unidirectional: It supports IPv4 traffic only. For IPv6, you must use an Egress-Only Internet Gateway.

NAT Gateway vs. NAT Instance

Feature NAT Gateway (Recommended) NAT Instance (Legacy)
Management Managed by AWS (Serverless feel) Managed by you (EC2 instance)
Availability Highly available within an AZ Single point of failure (unless scripted)
Bandwidth Scales automatically up to 100 Gbps Depends on EC2 instance type
Security Groups Cannot associate SGs Can associate SGs
Maintenance AWS handles patching/updates You handle OS patching/updates

High Availability Architecture

A common SAA-C03 “trap” involves NAT Gateway availability. While a NAT Gateway is redundant within a single Availability Zone (AZ), it is not span across AZs. If the AZ where the NAT Gateway resides goes down, all private subnets relying on it lose internet access.

Exam Solution: Create one NAT Gateway in each AZ and configure your private subnet route tables to use the NAT Gateway in their respective AZ. This ensures AZ-level fault tolerance.

Exam Tips and Gotchas

  • No Security Groups: You cannot apply a Security Group to a NAT Gateway. To control traffic, use the Security Groups of the source instances or Network ACLs (NACLs) on the subnet.
  • The “Public Subnet” Rule: If an exam question says instances can’t reach the internet despite having a NAT Gateway, check if the NAT Gateway was accidentally placed in a private subnet.
  • Port Forwarding: NAT Gateways do not support port forwarding (DNAT).
  • Cost Optimization: You are charged per hour and per GB of data processed. To save costs for internal AWS traffic (like S3 or DynamoDB), use VPC Endpoints instead of a NAT Gateway.
  • Egress-Only IGW: If the requirement mentions IPv6 and “outbound only,” the answer is Egress-Only Internet Gateway, not NAT Gateway.

Decision Matrix / If–Then Guide

If the requirement is… Then choose…
IPv4 outbound traffic for private instances with minimal management NAT Gateway
IPv6 outbound traffic for private instances Egress-Only Internet Gateway
High availability across multiple AZs One NAT Gateway per AZ
Connecting to S3/DynamoDB without data processing charges Gateway VPC Endpoints
Custom scripts or port forwarding on the NAT device NAT Instance

Topics covered:

Summary of key subtopics covered in this guide:

  • Managed NAT Gateway vs. Self-managed NAT Instances
  • Public Subnet and Elastic IP requirements
  • Multi-AZ High Availability design patterns
  • Security constraints (NACLs vs. Security Groups)
  • Cost-saving alternatives (VPC Endpoints)
  • IPv4 vs. IPv6 (Egress-Only IGW)

NAT Gateway Architecture Visualized

Internet VPC Public Subnet (AZ-A) NAT GW Private Subnet (AZ-A) EC2 Instance Outbound Request
Ecosystem

Integration

  • CloudWatch: Monitor BytesOut and ConnectionEstablished.
  • VPC Flow Logs: Audit traffic moving through the gateway.
  • IAM: Control who can create/delete NAT Gateways.
Performance

Scaling

  • Starts at 5 Gbps.
  • Automatically scales to 100 Gbps.
  • If you need >100 Gbps, split traffic across multiple subnets/NAT Gateways.
Cost Optimization

Savings

  • Avoid NAT for S3: Use a Gateway VPC Endpoint (Free) to avoid NAT data charges.
  • AZ Affinity: Keep traffic in the same AZ to avoid Inter-AZ data transfer fees.

Production Use Case

A fleet of application servers in a private subnet needs to download security patches from an external Linux repository and connect to a 3rd party payment API. A NAT Gateway is deployed in the public subnet to facilitate this while ensuring the application servers remain unreachable from the public internet.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top