Can I route a Bastion Host through a NAT gateway?

Question

Historically bound to the IP addresses I had on my NAT instances (for firewall rules on distant servers). Decided to move to NAT gateways, and I can no longer show my outbound IP address as the NAT instance since the NAT gateway now has the IPs distant servers are looking for.

Is there a way to route my outbound traffic from my bastion server through the new NAT gateways so my Internet-facing IP doesn't change?

Answer

I think the additional subtext to your question is "but still allow access to the bastion host using its public IP address". The short answer is no - hosts either use NAT Gateway purely for outbound communication which means they can't be reached on a public/Elastic IP from the internet; or they use a public/Elastic IP for communications in both directions. This has to do with the placement of the host on a subnet that routes directly to an Internet Gateway or to a NAT Gateway.

If you are using Linux (and therefore SSH) you might consider using EC2 Instance Connect - this allows the EC2 instance to use NAT Gateway but still gives you the ability to SSH into it.

If you are using Linux (and therefore SSH) you might consider using [EC2 Instance Connect](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html) - this allows the EC2 instance to use NAT Gateway but still gives you the ability to SSH into it.

Can I route a Bastion Host through a NAT gateway?

Relevant content