Private Subnets - NAT Gateway vs NAT Instance - AWS Certification Cheat Sheet

Let’s get a quick overview of how you can enable Private Subnets to download patches using NAT Gateway and NAT Instance. We will look at important certification questions regarding Private Subnet, NAT Gateway and NAT Instance.

You will learn

  • What is Private Subnet?
  • What is Network Address Translation?
  • How do you allow Private Subnets to download patches using NAT Gateway and NAT Instance?
  • When do we use NAT Gateway and NAT Instance?
  • How do NAT Gateway and NAT Instance compare?

AWS Certification Study Material and Notes - 25 PDF Cheat Sheets

Each cheat sheet contains:

  • FAQs and Tutorials with 5-20 slides
  • Study Material and Notes to quickly review and prepare for certification exam
  • Certification Exam Tips
  • Certification and Interview Scenario Questions

Network Address Translation(NAT) Instance and Gateway

Consider these two questions:

  • How do you allow instances in a private subnet to download software updates and security patches while denying inbound traffic from internet?
  • How do you allow instances in a private subnet to connect privately to other AWS Services outside the VPC?

There are Three Options:

  • NAT Instance: Install a EC2 instance with specific NAT AMI and configure as a gateway
  • NAT Gateway: Managed Service
  • Egress-Only Internet Gateways: For IPv6 subnets

Private Subnet - Download Patches

Here’s the high level architecture:

NAT instance

Here are the steps in setting up a NAT instance:

  • Step 1: Create EC2 instance
    • AMI - Linux *amzn-ami-vpc-nat
    • Public subnet with public IP address or Elastic IP
  • Step 2: Assign Security Group
    • Inbound - HTTP(80) HTTPS(443) from private subnet
    • Outbound - HTTP(80) & HTTPS(443) to internet (
  • Step 3: Private Subnet Route Table
    • Redirect all outbound traffic ( to the NAT instance

NAT gateway

NAT gateway is an AWS Managed Service.

Here are the steps in setting it up:

  • Step 1: Get an Elastic IP Address
  • Step 2: Create NAT gateway in a PUBLIC subnet with the Elastic IP Address.
  • Step 3: Private subnet route - all outbound traffic ( to NAT gateway.

Here are few things to remember about NAT gateway:

  • Prefer NAT gateway over NAT instance
    • Less administration, more availability and higher bandwidth
    • NAT Gateway does not need any security group management.
  • NAT Gateway supports IPv4 ONLY.
    • Use Egress-Only Internet Gateways for IPv6.
  • NAT Gateway uses the Internet Gateway.

NAT gateway vs NAT instance

Feature NAT gateway NAT instance
Managed by AWS You
Created in Public Subnet Public Subnet
Internet Gateway Needed Needed
High Availability Yes (in an AZ)
Multi AZ (higher availability)
You are responsible.
Bandwidth Upto 45 Gbps Depends on EC2 instance type
Public IP addresses Elastic IP address Elastic IP address OR Public IP Address
Disable source destination check No Required
Security groups No specific configuration needed Needed on NAT instance
Bastion servers No Can be used as a Bastion server


Certification - Recommended Reading

Elastic Load Balancer (ELB) vs Network Load Balancer (NLB) - A Difference

Elastic Beanstalk vs Cloudformation vs Opswork vs Codedeploy - A Difference

EBS HDD Storages - A Difference

AWS Shield vs AWS WAF vs AWS Macie - Protect Resources and Data Cheat Sheet

Managing Multiple AWS Accounts - Organizations, Trusted Advisor and more Cheat Sheet

Amazon CloudWatch - Logs, Events, Alarms and Dashboards Cheat Sheet

AWS CloudTrail vs Config vs CloudWatch Cheat Sheet

EBS SSD Storages - A Difference

NAT Gateway vs Instance - A Comparison

AWS Security Groups and Network Access Control List - A Comparison Cheat Sheet

Free Videos - Get Started with AWS Certification

Amazing AWS Certification Courses

Get our amazing courses pursued by thousands of learners