AWS NAT Gateway High Availability


What is a NAT Gateway?

NAT Gateway enables instances in a private subnet to connect to the Internet but external services cannot initiate a connection with those instances.

Why does High Availability matter?

High availability is crucial for any infrastructure setup, ensuring the continuity and stability of your services. In the context of AWS, achieving high availability for your NAT Gateway means that even if one Availability Zone (AZ) experiences an outage, your instances can continue to access the internet without any interruptions.

Private vs Public subnet

The instances in the public subnet can send outbound traffic directly to the Internet via Internet Gateway (IGW), whereas the instances in the private subnet can't. Instead, the instances in the private subnet can access the Internet by using a NAT gateway that resides in the public subnet.

A typical example is a public-facing web application (public subnet) where the inbound/outbound traffic is routed via the IGW. Back-end servers on the other hand are not publically accessible however, they can still reach out to the Internet for downloading packages or updating OS.

diagram - public vs private subnet

As per the above diagram, instances in the public subnet have routes to the Internet via IGW. Instances in the private subnet have routes to the Internet via NAT gateway. Users on the Internet can also initiate inbound connections to the instances in the public subnet using their public/elastic IP.

How does the NAT gateway work?

Public NAT Gateway
To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. An elastic IP address has to be associated with a NAT gateway when it is created. Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. As you can see above, the NAT gateway was created in AZ-1/public subnet 1a.

The NAT gateway replaces the source IP address of the instances with the IP address of the NAT gateway. For a public NAT gateway, this is the elastic IP address of the NAT gateway.

As of June 2021, AWS Removes NAT Gateway’s dependence on Internet Gateway for Private Communications. You can now launch NAT Gateways in your VPC without associating an IGW to your VPC.

Private NAT Gateway
A private NAT Gateway does not require Elastic IP and you do not need to attach an IGW with your VPC. Instances in private subnets can connect to other VPCs or on-premises networks through a private NAT gateway.

You can route traffic from the NAT gateway through a transit gateway or a virtual private gateway. You cannot associate an elastic IP address with a private NAT gateway. You can attach an Internet gateway to a VPC with a private NAT gateway, but if you route traffic from the private NAT gateway to the internet gateway, the Internet gateway will drop the traffic.

public vs private NAT gateway

NAT Gateway HA scenario

NAT Gateway is Highly Available in one Availability Zone, If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose Internet access.

In our example above, if AZ 1a goes down,  instances in other AZs lose Internet Access.

Depending on your business requirement and fault-tolerant architecture, make sure to create NAT Gateways in at least two Availability Zones.

3 x NAT Gateway

As you can see above, now we have NAT Gateways in each AZ which provide fault-tolerance against AZ failures.


NAT gateways - Amazon Virtual Private Cloud
Use a NAT gateway in a public VPC subnet to enable outbound internet traffic from instances in a private subnet.

Thanks for reading

As always, your feedback and comments are more than welcome.

Written by
Suresh Vina
Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
More from Packetswitch
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.