← Lessons

quiz vs the machine

Gold1350

Networking

The NAT Gateway

Letting private machines reach out without being reachable.

5 min read · core · beat Gold to climb

The One Way Door

Machines in a private subnet often need to download updates or call an external API, yet you do not want the internet to start connections to them. A NAT gateway solves this by giving private instances outbound only access to the internet.

How It Works

NAT stands for network address translation, and the gateway sits in a public subnet.

  • A private instance sends traffic to the NAT gateway as its route to the outside.
  • The gateway rewrites the source address to its own public address.
  • Return traffic comes back to the gateway, which forwards it to the original instance.
  • Outsiders cannot initiate a connection inward because they never see the private address.

Placement and Cost

A NAT gateway lives in a public subnet and itself uses the internet gateway. It is a managed, charged service that bills per hour and per gigabyte processed, so heavy egress through it can be expensive.

Key idea

A NAT gateway lets private instances make outbound connections by rewriting their source address, while blocking any inbound connection from the internet.

Check yourself

Answer to earn rating on the learn ladder.

1. What kind of access does a NAT gateway give private instances?

2. Why can outsiders not start a connection to a private instance behind NAT?

3. What is a cost consideration with a NAT gateway?