Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
What is AWS Internet Gateway?
What is "a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet"?
Why is the routing table considered a separate object from the gateway?
What is public subnet? "If a subnet is associated with a route table that has a route to an internet gateway, it's known as a public subnet." "The instances in the public subnet must have public IP addresses or Elastic IP addresses to enable communication with the internet over the internet gateway." So a network of public addresses can be private, and a network of private addresses can be public, but only if the addresses are public? I'm a little confused in the aws documentation. Understanding public networks in the context of IGW is related to the RFC1918?
How does IGW work? As a regular gateway between the internet and a private network? But then it is aws ngw. The difference is in the ability to initialize a connection FROM the internet? How is this ensured? Probably not by port forwarding.
- Newest
- Most votes
- Most comments
An AWS Internet Gateway (IGW) is indeed "a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet." It's a crucial component that enables resources within a VPC to connect to the internet and vice versa.
The routing table is considered a separate object from the gateway because it provides flexibility in network configuration. While the IGW provides the actual connection to the internet, the route table determines how traffic is directed within the VPC. This separation allows for more granular control over network traffic flows.
Regarding public subnets, there's often confusion due to the terminology. In AWS, a subnet is considered "public" if it has a route to the internet via an IGW, regardless of the IP addresses used within it. However, for instances in that subnet to actually communicate with the internet, they need public IP addresses or Elastic IP addresses.
So, a subnet with private IP addresses (from RFC1918 ranges) can be considered a "public subnet" in AWS terminology if it has a route to an IGW. But the instances within it still need public IPs to communicate with the internet. This is different from traditional networking concepts, where "public" typically refers to the address space used.
The IGW works by acting as a bridge between your VPC and the internet. It's not exactly like a traditional gateway in a private network. The key difference between an IGW and a NAT Gateway (NGW) is that an IGW allows bi-directional initiation of connections (from both inside the VPC and from the internet), while a NGW only allows outbound-initiated connections.
The IGW doesn't use port forwarding to manage connections. Instead, it performs one-to-one NAT for instances that have public IP addresses. When traffic comes from the internet to a public IP associated with an instance, the IGW routes that traffic to the instance's private IP within the VPC. This allows for direct addressability of instances from the internet, as long as security groups and network ACLs permit the traffic.
Sources
Enable internet access for a VPC using an internet gateway - Amazon Virtual Private Cloud
Community | AWS Networking Essentials
Amazon Virtual Private Cloud - Amazon EC2 Overview and Networking Introduction for Telecom Companies
Technically, a private and public subnet are the same. A subnet is a subnet. The key is the CIDR and the route table. The CIDR is like the identity of the subnet, which can have different rules inside a company network, and the route table defines what is reachable from the subnet.
Commonly, in AWS, a public subnet refers to a subnet where you can directly assign a public IP to your devices, for example an EC2 instance. And they can directly reach the internet through the Internet Gateway, because it is configured in the route table.
There are private subnets where you can still reach the internet but you are “hidden”. You can go on the internet, but nobody can get into your network.
It’s typically what happens at our homes. You have private IPs, and your router (gateway) does NAT so that you go to the internet through your router using its IP. In AWS, it’s a NAT Gateway, again fully managed by AWS.
A private subnet can also be a subnet without a NAT Gateway at all. Often referred to as a “database subnet”, for example, where accessing the internet, even privately behind a NAT, isn’t necessary.
To answer to your specific questions:
Why is the routing table considered a separate object from the gateway?
It depends : there is route table for subnet (here) and route table for the internet gateway itself (Here)
So a network of public addresses can be private, and a network of private addresses can be public, but only if the addresses are public? I'm a little confused in the aws documentation. Understanding public networks in the context of IGW is related to the RFC1918?
RFC1918 refer to private IPs, which is non-routable to internet. Technically, you can use public CIDR for your private network but it's not at all a good practice and can have lot of side effects. But the opposite, using RFC1918, you will never be able to route these IP to internet. Only using NAT Gateway, where the NAT Gateway will have a public IP.
How does IGW work?
Literraly, it's the gateway between your VPC and internet. With it, you can reach internet and internet can reach you. The Internet Gateway is fully managed by AWS. Behind the scenes, it does 1:1 NAT to forward the traffic to the right resources.
"gateway between your VPC and internet." - this is the best definition so far.
By mentioning rfc1918 I just meant that in those descriptions of IGW work, public networks are called private (private in the generally accepted sense), but the owners of which have access to the internet. And at the same time, it is said about the need for public addresses (already in the generally accepted sense) of the VPC so that this works through IGW or so that IGW is considered as IGW. The point is that I see some contradiction here.
Routing table is a database for routing ip-packets. Usually it does not exist and is not tied to anything, usually it is part of a gateway/router. In the descriptions I have seen it hangs in the air and it is not clear what object's/awsservice/device/abstraction behavior it determines.
Can you show me where the public networks are called private ?
The IGW give access to YOU (your VPC) to the public network. Inside you VPC you define which network (so subnets through route table) can use it. Setting up 0.0.0.0/0 as destination and the IGW as target to use mean, everything that is not known in your route table, will be redirected to internet.
So, your EC2 instance to go to internet will actually use the IGW to go out. It’s the door to go outside. It’s how you access to internet.You totally right : route table is database. The only way to modify it it’s through VPC services in the route table tab. The rest is abstract from the customer point of view to make it even more simple. you define the IGW in the route table for the desired destination, it’s how you « link » the subnet to the IGW. (Do not forget to attach the IGW to the VPC).
You seems very curious about how it is working and it’s totally normal. In AWS it’s a lot abastract, to make it more simple. If you really want to understand a deep dive, check out on internet how is working for example in a Cisco router : there you have to define everything and you will have a better comprehension of network and route table because this is how is working behind the scene.
On the contrary, private networks can be considered public if they can be used to access the internet (in aws terms).
Rather, because I understand how routers work and routing tables, it is difficult to fit the definition of aws into my existing telecommunications understanding. I understand the meaning of abstractions, but I want to find some kind of connection to more mundane things. For example, it is not very clear how the abstractions of kubernetes Ingres-Service-Pod work until it is resolved that these are instructions for performing specific actions on hosts for reverse-proxy and iptables. On the internet I mostly find superficial introductory articles, but this is not enough for me, as if a couple of logical links are missing for me to calm down regarding some topic. In this case, igw.
You’re right the naming can be a bit confusing.
In a traditional networks, a subnet with private CIDR will never be called public subnet. Because it’s just private. In AWS it’s different : when there is public IPV4 attribution with IGW as default route on the route table, this is always called a public network.
The most confusing are generally « private subnets » : do they have a NAT or not. Sometimes companies make the difference by naming « private subnets » and « intra subnets » or even « database subnets ». But it’s an internal convention. The key is always the route table.
In very simple terms, private and public subnets are same and configured the same way. The only difference in the route table entries associated with the subnets.
- Public subnet: will have route to IGW
- Private subnet: no routes to IGW
- The route table is for the associated subnets and can routes to other internal resources.
This concerns private network(VPC) and you can set up anything in it without any standards or rules - this is true. I gave two quotes about this and in my opinion one contradicts the other, I would like more clarity about what we mean. I'm just wondering this is routing table of what? As if there is already some basic/default gateway in the VPC.
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 3 years ago
Yes, you have confirmed the validity of my dissatisfaction with the typical definitions on the internet and documentation.
There is a guess that IGW is a static NAT and therefore supports initialization of a connection from the internet, and NGW is a dynamic NAT or PAT that does not support initialization of a connection from the internet. And it doesn’t matter at all what the addresses are in the VPC. But how does DNS work in this case?