Connecting private subnets to the internet

To connect an IPv4 private subnet to the internet, we can use a NAT gateway. The NAT gateway will allow all outgoing traffic to pass to the internet and is used when we require the instances in the private subnet to access the internet.

This allows us to access external services even from the private network, such as the following:

• Retrieve operating system and application updates and patches
• Communicate with external services, such as payment gateways and processing tools
• Synchronize time with an external NTP service
• Access external DNS and other services

A NAT gateway has the following features:

• Supports 5 GBps of bandwidth and automatically scales up to 45 GBps
• Supports up to 55,000 simultaneous TCP, UDP, and ICMP connections to each unique destination
• Can associate exactly one Elastic IP address with a NAT gateway – once created, it cannot be dissociated
• Cannot associate a security group with a NAT gateway, but access can be controlled at the instance level with security groups
• A NAT gateway has an automatically assigned private IP in your subnet that can be viewed in the AWS management console

If the performance of a single NAT instance is not satisfactory, we can create multiple NAT gateways.

In case we are using an IPv6 environment, we will need to use an egress-only internet gateway. The egress-only gateway has all the characteristics of an internet gateway, the only difference being that it blocks all incoming traffic to the IPv6 address space that we assign to our private subnet. We are thus able to achieve the same kind of operation as we would with an IPv4 NAT gateway without all the limitations that come with the NAT gateway.

There are also scenarios where the NAT gateway or the egress-only gateway are not the right solution. This would happen in cases where we require a single instance to handle greater volumes of IPv4 traffic or to retain control over the IPv4 or IPv6 traffic being passed to the internet. In certain situations, allowing all traffic to the internet via a NAT instance or egress-only gateway is not allowed or would not be compliant with certain rules. In this kind of scenario, we can spin up our own NAT instance with our own custom software running on it. We are also able to do additional traffic shaping and security checks with our own NAT instances, especially when they have some kind of packet inspection and firewalling software installed on it. To control IPv6 traffic, our instance will be using routing instead of NAT and control the flow of the traffic on the firewall level.