AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I set up a public NAT gateway to access the internet from a private subnet in Amazon VPC?

2 minute read

I want to set up a public NAT gateway to access the internet from a private subnet in Amazon Virtual Private Cloud (Amazon VPC).

Short description

You can use a NAT gateway to establish an outbound connection from your Amazon Elastic Compute Cloud (Amazon EC2) instances to resources on the internet. EC2 instances can't use their assigned Private IP addresses to communicate over the internet. NAT gateways use Elastic IP addresses to help private resources communicate with the internet.

Resolution

To set up a NAT gateway for a private Amazon VPC subnet, complete the following steps:

Create a public subnet to host your NAT gateway.
Create and attach an internet gateway to your Amazon VPC.
Create a custom route table for your public subnet with a route to the internet gateway.
Verify that the network access control list (ACL) for your public subnet allows inbound traffic from the private subnet. For more information, see Control subnet traffic with network access control lists.
Create a public NAT gateway in the public subnet. Then allocate and associate your new or existing Elastic IP addresses to your instance as needed.
Update the route table of your private subnet to direct internet traffic to your NAT gateway.
Test your public NAT gateway.

Note: Data that's transferred between Amazon EC2 and elastic network interfaces in the same Availability Zone is free. However, you're charged for data that's transferred to and from Amazon EC2 and network interfaces across multiple Availability Zones in the same AWS Region. The charges depend on the data transfer rates for the Region.

Best practices

If your resources span multiple Availability Zones, then create one NAT gateway per Availability Zone to avoid a single point of failure and zone data transfer charges.

Use AWS Trusted Advisor to check whether you configured your NAT gateways with Availability Zone independence. For resources in a specific Availability Zone, use a NAT gateway in the same Availability Zone. For more information, see NAT Gateway AZ Independence.

Related information

Monitor NAT gateways with Amazon CloudWatch

Topics: Networking & Content Delivery
Tags: Amazon VPC
Language: English

Relevant content

How does a private subnet know how to route to a NAT gateway in the public subnet
Accepted Answer
rePost-User-7071130
asked 3 years ago
Instances within the private subnet are unable to access the internet using NAT gateway.
Accepted Answer
Bhanuprakash
asked a year ago
Ec2 instance in private subnet can send outbound traffic without NAT gateway
Rajesh Khanna B
asked 3 years ago
How Can I Force Traffic from Private Subnets to Appear as a Single NAT private IP for a VPN Site-to-Site Connection?
Esteban
asked 10 months ago
Can private fargate instances access public sites via internet gateway instead of a NAT?
Accepted Answer
quldude
asked 2 years ago
Why can't I use NAT to connect my EC2 instance in a private subnet to the internet?
AWS OFFICIALUpdated 6 months ago
How can I configure my IPv6 subnet as a private subnet?
AWS OFFICIALUpdated a year ago
How do I set up an AWS Network Firewall with a NAT gateway?
AWS OFFICIALUpdated 3 years ago
How do I troubleshoot connectivity issues when I use a NAT gateway on my private Amazon VPC?
AWS OFFICIALUpdated 10 months ago
How can we map entire AWS VPC CIDR to a single IP address using Private NAT Gateway via AWS Site to Site VPN connection.
EXPERT
Narinder Singh Kharbanda
published 2 years ago