NAT Gateway

To allow the hosts in our EC2 public subnet to be accessed from the internet, we can allocate an Elastic IP and associate it with the network interface of the EC2 host. However, at the time of writing this book, there is a limit of five Elastic IPs per EC2-VPC (https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html#vpc-limits-eips). Sometimes, it would be nice to allow the host in a private subnet outbound access when needed without creating a permanent one-to-one mapping between the Elastic IP and the EC2 host. 

This is where NAT Gateway can help, by allowing the hosts in the private subnet temporarily outbound access by performing a Network Address Translation (NAT). This operation is similar to the Port Address Translation (PAT) that we normally perform on the corporate firewall. To use a NAT Gateway, we can perform the following steps: 

• Create a NAT Gateway in a subnet with access to the internet gateway via the AWS CLI, Boto3 library, or AWS console. The NAT Gateway will need to be assigned with an Elastic IP.
• Point the default route in the private subnet to the NAT Gateway.
• The NAT Gateway will follow the default route to the internet gateway for external access.

This operation can be illustrated in the following diagram:

One of the most common questions for NAT Gateway typically surrounds which subnet the NAT Gateway should reside in. The rule of thumb is to remember that the NAT Gateway needs public access. Therefore, it should be created in the subnet with public internet access with an available Elastic IP to be assigned to it: 

In the coming section, we will take a look at how to connect our shiny virtual network in AWS to our physical network.