- TechOps Examples
- Posts
- AWS Internet Gateway vs NAT Gateway – Which One to Choose?
AWS Internet Gateway vs NAT Gateway – Which One to Choose?
TechOps Examples
Hey — It's Govardhana MK 👋
Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.
IN TODAY'S EDITION
🧠 Use Case
AWS Internet Gateway vs NAT Gateway – Which One to Choose?
🚀 Top News
Amazon Aurora Serverless v2 now supports scaling to 0 Aurora Capacity Units (ACUs)
Automatically pause your database during inactivity to save costs, with seamless auto-resume when needed. Supported on Aurora PostgreSQL 13.15+, 14.12+, 15.7+, 16.3+, and Aurora MySQL 3.08+.
👀 Remote Jobs
Tabby is hiring a Senior DevOps Engineer
Remote Location: Worldwide
Nethermind is hiring a Infrastructure Engineer (IAM)
Remote Location: Worldwide
📚️ Resources
AWS, GCP, Kubernetes, Docker, CI/CD, APIs, SQL, PostgreSQL, MySQL, Hive, Impala, Kafka, Hadoop, Jenkins, GitHub, GitLab, BitBucket, Azure DevOps, TeamCity, .bashrc, .vimrc, .gitconfig...
How HTTPS works ...in a comic!
Have you ever wondered why a lock icon appears on your browser URL bar? And why is it important? and this comic is for you!
Step-by-Step Guide to Deploying ML Models with Docker
This guide walks you through creating a Dockerfile, building a container for your ML model, running predictions, and pushing the image to Docker Hub. Includes step-by-step commands and code examples!
🛠️ TOOL OF THE DAY
Jack - A tool for managing AWS Elastic Beanstalk environments, wrapping around the AWS EB CLI.
🧠 USE CASE
AWS Internet Gateway vs NAT Gateway – Which One to Choose?
We all know AWS Internet Gateway and NAT Gateway serve distinct purposes.
If I have to simplfy,
Internet Gateway:
Allows instances in public subnets to access the internet.
Free to use, but EC2 data transfers incur charges.
One IGW per VPC and vice versa (one-to-one attachment).
Does not enable internet access by itself; route tables must be updated.
NAT Gateway:
Allows instances in private subnets to initiate outbound internet traffic. (Private Subnet → NATGW → IGW)
Created in a specific Availability Zone and uses an Elastic IP.
But there are overlaps and potential for confusion due to their similar roles in routing traffic.
1. Exposing Private Subnets by Using an Internet Gateway (IGW)
A common mistake occurs when a private subnet is configured with a route table pointing to an IGW instead of a NAT Gateway
Impact:
Instances in Private subnet are directly accessible from the internet (if security groups or ACLs permit).
Sensitive services, such as databases, are vulnerable to attack.
2. Redundant Use of NAT Gateway in Public Subnets
Deploying a NAT Gateway for web layer in public subnets adds unnecessary complexity and costs. Public subnets already have direct outbound internet access via the IGW.
Impact:
Traffic from the web server to the internet is routed unnecessarily through the NAT Gateway, incurring:
Per-hour charges for the NAT Gateway.
Per-GB charges for data transfer through the NAT Gateway.
3. Incorrect Elastic IP Configuration for NAT Gateway
Users mistakenly assume that Elastic IPs attached to a NAT Gateway can be used for inbound internet traffic.
NAT Gateways are designed only for outbound traffic initiated by private instances.
Impact:
Inbound traffic to the NAT Gateway's Elastic IP is dropped because NAT Gateways do not support unsolicited inbound requests.
Leads to confusion, debugging effort, and delayed project timelines.
Use tools like curl
or nc
to verify connectivity from a private subnet instance through the NAT Gateway
These Actionable Insights May Help:
1. Subnet Categorization:
Public subnets: Use IGW with route table entries pointing to IGW.
Private subnets: Use NGW with route table entries pointing to NGW.
2. Monitor Costs:
Use AWS Cost Explorer to identify high NAT Gateway usage.
Review whether data transfer through NAT Gateway is necessary or redundant.
3. Validate Security Groups and ACLs:
Avoid assigning overly permissive rules in private subnets, even if they use NAT Gateway.
Use
aws ec2 describe-security-groups
to audit rules.
NAT Gateways are expensive.
NAT Instances support is dead, and relying on random AMIs feels risky.
Any cheaper alternatives out there?
— Govardhana Miriyala Kannaiah (@govardhana_mk)
9:54 AM • Nov 21, 2024
You may even like: