Step by Step Workflow of Traffic from NAT Gateway to Internet
Note: This post was originally published on my main blog site.
If you’ve ever launched an EC2 instance in a private subnet, you’ll notice it can’t reach the internet.
But what if your instance needs to connect to external services while still staying private and hidden from the public internet?
That’s where a NAT Gateway comes in.
A NAT Gateway allows private resources to securely access the internet without being exposed to it.
It’s simple to set up, but many AWS engineers get confused about how the traffic actually flows. From an EC2 instance, through the NAT Gateway, and out to the internet.
In this blog, we’ll walk through the step-by-step workflow of how an EC2 instance in a private subnet reaches the internet.
If you prefer a quick visual walkthrough, here’s a short video explanation:
Creating NAT Gateway in AWS
Before we dive into the workflow, let’s first understand how a NAT Gateway is created.
The most important thing to know is that a NAT Gateway must be created in a public subnet.
A public subnet is simply a subnet that has an Internet Gateway (IGW) in its route table.
Without a public subnet you cannot create a NAT Gateway because the NAT Gateway ultimately relies on the Internet Gateway to reach the internet.
So, when you create a NAT Gateway in a public subnet, AWS automatically provisions an Elastic Network Interface (ENI) with both a private IP and a public IP.
The private IP comes from the CIDR range of the public subnet you selected. This is very similar to how an EC2 instance receive IP address.
Once the NAT Gateway is created, it can be linked to a route table.
Any subnet that uses this route table will function as a private subnet, because its traffic will be routed through the NAT Gateway.
💡 Interested in optimizing AWS costs? This article breaks down AWS data transfer pricing.
Traffic Flow from NAT Gateway to the Internet
Now let’s understand how traffic flows from an EC2 instance in a private subnet to the internet using the figure below.
Suppose a private EC2 instance wants to reach google.com. The traffic first leaves the EC2, but it can only do so if the Security Group attached to the instance allows outbound traffic.
After passing through the Security Group, the traffic must also pass through the private subnet’s Network Access Control List (NACL). Just like Security Groups, the NACL must allow outbound traffic to 0.0.0.0/0.
Since google.com is outside the VPC, the instance uses the private subnet’s route table to determine the path. To reach the internet, the route must send traffic to 0.0.0.0/0 via the NAT Gateway.
Once these checks are satisfied, the traffic reaches the NAT Gateway.
The NAT Gateway translates the private IP of the EC2 instance into its own public IP, hiding the original private address.
At this point, the traffic moves toward the internet. But the NAT Gateway itself resides in a public subnet, so the request must also pass through the public subnet’s NACL and route table, which must have a route 0.0.0.0/0 → Internet Gateway.
Only after passing these checks, the request reach the Internet Gateway and go out to the internet.
📝 Key point: The NAT Gateway depends on the public subnet’s NACL and route table.
Any changes to these configurations can break internet access not only for resources in the public subnet but also for all private subnets relying on the NAT Gateway.
I hope this gives you a clear understanding of how traffic flows from a NAT Gateway to the internet.
Thanks for reading.
– Alon
Top comments (0)