Virtual Private Clouds (VPCs) hold an organization's resources within a specific region.
A VPC Availability zone can hold different types of subnets. Resources in the public subnet are accessible on the internet through an internet gateway. On the other hand, resources in private subnets can only be accessed by other resources in the VPC. For instance, an EC2 backend server in a public subnet interacts with a Postgres database server on RDS (AWS' relational database service) in a private subnet.
Now, when the Postgres database server needs updates and security patches from the wider internet, how does this happen?
Simple answer: NAT Gateways
If NAT Gateways allow instances in private subnets to connect to the internet, how then are these instances not accessible from the internet? This was a point of confusion for me.
A public NAT Gateway or Network Address Translation Gateway maps the private instance's IP address to the NAT's private IP address. The NAT's private IP Address is then mapped to its Elastic IP (EIP) Address (EIP is the fixed, public IP address for a certain instance), which can further reach the internet through an Internet Gateway of the VPC.
](https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxsu96h8cqi83x3js5yn.png)
How NAT Gateways allow outbound connections but prevent unsolicited inbound connections. Source: AWS Documentation
This is set up to drop unrequested connections to the private instances from the internet and only allow response traffic, which could be updates or security patches, to reach the instances in the private subnet.
Further on the subject of NAT Gateways, they could also be private. Private NAT Gateways do not have an EIP Address and cannot send or receive traffic from the internet. But they are useful for connecting private instances to other services on other VPCs or on-premise networks, while preventing unrequested inbound connections from these VPCs.
As a point of reflection, I have previously come across the concept of Network Address Translation in a Communication and Networking course of my Master's program in Computer Science. But I had forgotten this while studying about Private Subnets, so I still got confused. It's quite exciting to see how this concept is applied in real-world cloud computing.
Top comments (0)