AWS Internet Gateway (IGW) Study Guide

The Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It provides a target in your VPC route tables for internet-bound traffic and performs network address translation (NAT) for instances that have been assigned public IPv4 addresses.

Real-World Analogy: Think of an Internet Gateway as the Main Entrance/Exit of a gated community. The community (VPC) is private and secure, but the Main Entrance (IGW) allows residents (EC2 instances) to leave for the outside world and allows authorized visitors to enter, provided they have the correct address.

Core Concepts & Configuration

To enable internet access for an instance in a VPC, you must perform the following:

Create and Attach: Create an IGW and attach it to your VPC. A VPC can be attached to exactly one IGW at a time.
Route Table Entry: Add a route to your subnet’s route table that directs internet-bound traffic (0.0.0.0/0 for IPv4 or ::/0 for IPv6) to the IGW.
Public IP: Ensure your instances have a public IPv4 address or an Elastic IP address.
Security: Update Security Group and Network ACL rules to allow relevant traffic.

Comparison: IGW vs. NAT Gateway vs. Egress-Only IGW

Feature	Internet Gateway (IGW)	NAT Gateway	Egress-Only IGW
Direction	Two-way (Inbound/Outbound)	One-way (Outbound only)	One-way (Outbound only)
Protocol	IPv4 & IPv6	IPv4 (mostly)	IPv6 ONLY
Use Case	Public-facing resources	Private instances needing updates	IPv6 instances needing updates
Cost	Free	Hourly charge + Data processing	Free

Exam Tips and Gotchas

High Availability: You do not need to manage availability. AWS handles the scaling and redundancy of the IGW automatically. It is not a single point of failure in terms of AWS infrastructure.
One Per VPC: You cannot attach multiple IGWs to a single VPC. This is a common distractor in exam questions.
The Route Table: Simply attaching an IGW is not enough. You must update the Route Table to point 0.0.0.0/0 to the IGW ID (igw-xxxxxxxx).
Public IP Requirement: An IGW alone doesn’t give an instance internet access; the instance must have a public IP or Elastic IP to communicate back and forth.
Detaching: You cannot detach an IGW if there are still active resources (like Elastic IPs) associated with instances in the VPC that depend on it.

Decision Matrix / If–Then Guide

If the requirement is…	Then use…
Allowing external users to access a Web Server (IPv4)	Internet Gateway + Public IP
Allowing private DB instances to download patches (IPv4)	NAT Gateway (placed in Public Subnet)
Preventing internet-initiated connections for IPv6	Egress-Only Internet Gateway
Connecting two VPCs privately	VPC Peering or Transit Gateway (Not IGW)

Topics covered:

Summary of key subtopics covered in this guide:

IGW Definition and Purpose
VPC Attachment Limitations (1:1 ratio)
Route Table configuration (0.0.0.0/0)
Relationship between IGW and Public IPs
Comparison with NAT Gateways and Egress-Only IGWs
High Availability and Scalability characteristics

Infographic: Internet Gateway Architecture

Traffic flow from Public Subnet EC2 through the IGW to the Public Internet.

Service Ecosystem

VPC: The parent container.

Route Tables: Directs traffic to the IGW.

CloudWatch: Monitor VPC Flow Logs for traffic passing through.

Performance & Scaling

No Bandwidth Limits: IGW scales automatically based on your traffic volume.

Availability: Managed by AWS across multiple AZs within a region implicitly.

Cost Optimization

$0 Upfront: No hourly charge for having an IGW attached.

Data Transfer: You only pay for the Data Transfer Out from EC2 to the internet (standard AWS rates).

Production Use Case: Hosting a public-facing Application Load Balancer (ALB). The ALB sits in a public subnet, and the IGW allows global users to hit the ALB’s public DNS name, which then routes traffic to private EC2 instances.