NAT Gateway
💡 Definition
A NAT (Network Address Translation) Gateway is a highly available, managed service that allows instances in a private Subnet to connect to the internet (e.g., for software updates) but prevents the internet from initiating connections with those instances.
🔑 Key Concepts
- Outbound Only: Allows traffic OUT to the internet, and the response back IN. Does not allow new inbound connections.
- Managed: AWS handles scalability and availability.
- Public Subnet: Must be deployed in a public subnet (one that has an Internet Gateway).
⚙️ How it Works
- Deploy: Create a NAT Gateway in a public subnet.
- Route: Update the private subnet's route table to point internet traffic (
0.0.0.0/0) to the NAT Gateway ID. - Flow: Private instance -> NAT Gateway (Public Subnet) -> Internet Gateway -> Internet.
🎯 Use Cases
- Patching: Letting database servers download updates without exposing them to the public internet.
- External APIs: Allowing backend services to call third-party APIs.
💰 Pricing Model
- Hourly: Charged per hour the gateway exists.
- Data Processing: Charged per GB of data processed.
📝 Exam Tips (CLF-C02)
- Enables internet access for private subnets.
- Managed service (preferred over old "NAT Instances").
- Must reside in a Public Subnet.
See Also: * Internet Gateway * VPC * Subnet