Private Subnets - NAT Gateway vs NAT Instance - AWS Certification

Let’s get a quick overview of how you can enable Private Subnets to download patches using NAT Gateway and NAT Instance. We will look at important certification questions regarding Private Subnet, NAT Gateway and NAT Instance.

You will learn

  • What is Private Subnet?
  • What is Network Address Translation?
  • How do you allow Private Subnets to download patches using NAT Gateway and NAT Instance?
  • When do we use NAT Gateway and NAT Instance?
  • How do NAT Gateway and NAT Instance compare?

AWS Certification - 25 PDF Cheat Sheets + Free Course

Each cheat sheet contains:

  • FAQs and Tutorials with 5-20 slides
  • Notes to quickly review and prepare for certification exam
  • Certification Exam Tips
  • Certification and Interview Scenario Questions

Network Address Translation(NAT) Instance and Gateway

Consider these two questions:

  • How do you allow instances in a private subnet to download software updates and security patches while denying inbound traffic from internet?
  • How do you allow instances in a private subnet to connect privately to other AWS Services outside the VPC?

There are Three Options:

  • NAT Instance: Install a EC2 instance with specific NAT AMI and configure as a gateway
  • NAT Gateway: Managed Service
  • Egress-Only Internet Gateways: For IPv6 subnets

Private Subnet - Download Patches

Here’s the high level architecture:

NAT instance

Here are the steps in setting up a NAT instance:

  • Step 1: Create EC2 instance
    • AMI - Linux *amzn-ami-vpc-nat
    • Public subnet with public IP address or Elastic IP
  • Step 2: Assign Security Group
    • Inbound - HTTP(80) HTTPS(443) from private subnet
    • Outbound - HTTP(80) & HTTPS(443) to internet (
  • Step 3: Private Subnet Route Table
    • Redirect all outbound traffic ( to the NAT instance

NAT gateway

NAT gateway is an AWS Managed Service.

Here are the steps in setting it up:

  • Step 1: Get an Elastic IP Address
  • Step 2: Create NAT gateway in a PUBLIC subnet with the Elastic IP Address.
  • Step 3: Private subnet route - all outbound traffic ( to NAT gateway.

Here are few things to remember about NAT gateway:

  • Prefer NAT gateway over NAT instance
    • Less administration, more availability and higher bandwidth
    • NAT Gateway does not need any security group management.
  • NAT Gateway supports IPv4 ONLY.
    • Use Egress-Only Internet Gateways for IPv6.
  • NAT Gateway uses the Internet Gateway.

NAT gateway vs NAT instance

Feature NAT gateway NAT instance
Managed by AWS You
Created in Public Subnet Public Subnet
Internet Gateway Needed Needed
High Availability Yes (in an AZ)
Multi AZ (higher availability)
You are responsible.
Bandwidth Upto 45 Gbps Depends on EC2 instance type
Public IP addresses Elastic IP address Elastic IP address OR Public IP Address
Disable source destination check No Required
Security groups No specific configuration needed Needed on NAT instance
Bastion servers No Can be used as a Bastion server


Certification - Recommended Reading

AWS VPN vs AWS Direct Connect vs Software VPN vs CloudHub - AWS Certification

VPC and Subnet Route Tables - Routing in AWS

Moving Data between AWS and On-premises - Snowball vs Snowmobile vs DataSync

AWS Storage Gateway - File vs Tape vs Volume - Stored vs Cached

Security Groups vs NACL - A Comparison

Public Subnet vs Private Subnet - Routing and Internet Gateway

VPC Endpoints - Gateway vs Interface, VPC Peering and VPC Flow Logs

Virtual Private Cloud and Subnet Fundamentals - VPC

Amazon RDS - Relational Database Service and Amazon Aurora

Multi-AZ vs Multi-Region vs Read replicas - Amazon RDS

Free Videos - Get Started with AWS Certification

Complete Course - AWS Certified Solutions Architect Associate

Get our amazing course pursued by thousands of learners

  • 400+ Lectures
  • 28 hours on-demand video
  • 18 articles
  • 2 downloadable resources
  • Full lifetime access