About NAT Gateways

Network Address Translation (NAT) gateways enable instances in a Virtual Private Cloud (VPC) to indirectly connect to the Internet through a single public IP.

General Information

A NAT gateway sends and receives Internet traffic on behalf of one or more instances in a VPC. To do so, the NAT gateway translates the private IPs of the instances into a single External IP (EIP) when these instances communicate with the Internet.

As you have a limited quota of EIPs for your account, NAT gateways enable your instances in a VPC to access the Internet through a single public IP. For more information about EIPs, see External IPs (EIPs).

A NAT gateway can have the following states:

  • pending: The NAT gateway is being created.

  • available: The NAT gateway is ready to forward traffic.

  • deleting: The NAT gateway is being deleted.

  • deleted: The NAT gateway is deleted.

For more information about IP addressing in a VPC, see About VPCs > IP Addressing and Access to the Internet.


A NAT gateway is created in one subnet but it can be used by any subnets of the VPC.

To route traffic from your instances to the Internet using the NAT gateway, you need to add the following routes:

  • In the route table of the subnet of the NAT gateway, a route directing traffic from the NAT gateway to the Internet using the Internet gateway as target.

  • In the route tables of the subnets of the instances, routes directing traffic from these instances to the Internet using the NAT gateway as target.

NAT Gateway Architecture

sch General NATGateway

In this architecture, ensure the security groups of the instances contain a rule allowing outbound flows to the Internet (either or a smaller range of IPs).

Related Pages