NAT Gateway enables instances in a private subnet to connect to the Internet but external services cannot initiate a connection with those instances.
Private vs Public subnet
The instances in the public subnet can send outbound traffic directly to the Internet via Internet Gateway (IGW), whereas the instances in the private subnet can't. Instead, the instances in the private subnet can access the Internet by using a NAT gateway that resides in the public subnet.
A typical example is a public-facing web application (public subnet), while maintaining back-end servers (private subnets) that aren't publicly accessible.
As per the above diagram, instances in public subnet have route to the Internet via IGW. Instances in the private subnet have route to the Internet via NAT gateway. Users in the Internet can also initiate inbound connections to the instances in the public subnet using their public/elastic IP.
How does NAT gateway work?
To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. An elastic IP address has to be associated with a NAT gateway when it is created. Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. As you can see above, the NAT gateway was created in AZ-1/public subnet 1a.
You can not create a NAT gateway without having an IGW attached to the VPC. The traffic flow would be Instance >> NAT Gateway >> IGW >> Internet.
NAT Gateway HA scenario
NAT Gateway is Highly Available in one Availability Zone, If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose Internet access.
In our example above, if AZ 1a goes down, instances in other AZs lose Internet Access.
Depending on your business requirement and fault-tolerant architecture, make sure to create NAT Gateways in at least two Availability Zones.
As you can see above, now we have NAT Gateways in each AZ which provide fault-tolerance against AZ failures.
NAT Gateway HA deployment using Terraform
Suresh-MacBook:NAT HA suresh$ tree
0 directories, 5 files
As you can see above, private subnet in AZ-1 has route to the Internet via the NAT Gateway in the same AZ.
Thanks for reading
As always, your feedback and comments are more than welcome.