How do I set up a NAT gateway for a private subnet in Amazon VPC?

2 minute read

I have Amazon Elastic Compute Cloud (Amazon EC2) instances in a private subnet of my Amazon Virtual Private Cloud (Amazon VPC). How can I configure these instances to communicate securely with the internet?

Short description

A network address translation (NAT) gateway allows EC2 instances to establish outbound connections to resources on internet without allowing inbound connections to the EC2 instance. It's not possible to use the private IP addresses assigned to instances in a private VPC subnet over the internet. Instead, you must use NAT to map the private IP addresses to a public address for requests. Then, you must map the public IP address back to the private IP addresses for responses.


  1. Create a public VPC subnet to host your NAT gateway.
  2. Create and attach an internet gateway to your VPC.
  3. Create a custom route table for your public subnet with a route to the internet gateway.
  4. Verify that the network access control list (ACL) for your public VPC subnet allows inbound traffic from the private VPC subnet. For more information, see Work with network ACLs.
  5. Create a public NAT gateway then create and associate your new or existing Elastic IP address.
  6. Update the route table of your private VPC subnet to point internet traffic to your NAT gateway.
  7. Test your NAT gateway by pinging the internet from an instance in your private VPC subnet.

Related information

Monitor NAT gateways with Amazon CloudWatch

AWS OFFICIALUpdated a year ago