NAT Gateways VPC Demo

In this walkthrough, you’ll learn how to configure an AWS NAT Gateway to enable internet access for EC2 instances in a private subnet—while preventing unsolicited inbound connections from the internet. By the end, only instances that initiate outbound requests will receive responses.

1. Create a New VPC

Open the VPC console and select Create VPC.
Enter a Name tag (e.g., demo-vpc) and set the IPv4 CIDR block to 10.0.0.0/16.
Leave IPv6 settings disabled and click Create.

The image shows the AWS Management Console interface for creating a VPC, with options for setting the name tag, IPv4 CIDR block, and other configurations.

2. Create a Private Subnet

This subnet will host your EC2 instance without a public IP.

Name: private-subnet
Availability Zone: e.g., us-east-1b
IPv4 CIDR block: 10.0.1.0/24

The image shows the AWS Management Console interface for creating a subnet within a VPC. It includes fields for VPC ID, subnet name, availability zone, and IPv4 CIDR block.

3. Launch an EC2 Instance in the Private Subnet

Navigate to the EC2 console → Launch Instance.
Select the Amazon Linux 2 AMI (or your preferred AMI).
Under Network settings:
- Choose your demo-vpc and the private-subnet.
- Disable Auto-assign Public IP.
Configure or select a security group (default settings are fine).
Review and Launch. Name it private-server.

Because there’s no public IP, the instance cannot be reached directly from the internet.

The image shows an AWS EC2 instance launch configuration screen, detailing network settings, security group options, and a summary of the instance specifications.

4. Create and Attach an Internet Gateway

An Internet Gateway (IGW) is required to give public subnets internet access.

In the VPC console, go to Internet Gateways → Create Internet Gateway.
Name it my-igw and click Create.
Select the new IGW → Actions → Attach to VPC → choose demo-vpc.

The image shows an AWS Management Console screen displaying the "Internet gateways" section, with one internet gateway listed as attached to a VPC.

5. Create a Public Subnet

This subnet will host the NAT Gateway and must have a route to the IGW.

Name: public-subnet
Availability Zone: same or different (e.g., us-east-1b)
IPv4 CIDR block: 10.0.2.0/24

The image shows an AWS VPC dashboard with a notification indicating the successful creation of a subnet. The subnet details, including its ID and availability, are displayed.

6. Configure Route Tables

You need two route tables: one public and one private.

Separate route tables help isolate internet-facing and internal traffic.

Route Table Name	Associated Subnet	Default Route Target
public-route-table	public-subnet	Internet Gateway (`my-igw`)
private-route-table	private-subnet	(added after NAT creation)

Steps

Create public-route-table → select demo-vpc → Create.
Edit routes → Add route 0.0.0.0/0 → Target: Internet Gateway → choose my-igw → Save.
Associate with public-subnet.
Create private-route-table → select demo-vpc → Create.
Associate with private-subnet (no default route yet).

The image shows an AWS Management Console screen displaying details of a VPC route table, including route entries and their statuses. The route table has two routes, one for internet gateway access and another for local network access, both marked as active.

7. Deploy a NAT Gateway

In a public subnet, NAT Gateways allow private instances to access the internet securely.

Go to NAT Gateways → Create NAT Gateway.
Name it my-nat-gateway.
Subnet: public-subnet.
Allocate a new Elastic IP.
Click Create NAT Gateway.

The image shows an AWS Management Console screen displaying details of a newly created NAT gateway, which is currently in a pending state.

You can also use the AWS CLI:

aws ec2 create-nat-gateway \
  --subnet-id <public-subnet-id> \
  --allocation-id <eip-allocation-id>

8. Update the Private Route Table

After the NAT Gateway becomes available:

Open private-route-table → Edit routes.
Add route 0.0.0.0/0 → Target: NAT Gateway → select my-nat-gateway.
Save.

Now, instances in private-subnet will send outbound traffic through the NAT Gateway while remaining inaccessible from the internet.

9. Plan for High Availability

NAT Gateways are zonal resources. To avoid a single point of failure:

Deploy one NAT Gateway per Availability Zone.
Update each private route table to point to the NAT Gateway in its own AZ.

If the AZ with your NAT Gateway goes down, all instances using it lose internet access.

The image shows an AWS Management Console screen displaying details of a public subnet within a Virtual Private Cloud (VPC). It includes information such as the subnet ID, state, IPv4 CIDR, and availability zone.

Introduction

Core Networking Services

Transit Networks

Edge Networks

NAT Gateways VPC Demo

1. Create a New VPC

2. Create a Private Subnet

3. Launch an EC2 Instance in the Private Subnet

4. Create and Attach an Internet Gateway

5. Create a Public Subnet

6. Configure Route Tables

Steps

7. Deploy a NAT Gateway

8. Update the Private Route Table

9. Plan for High Availability

Links and References

Watch Video

Introduction

Core Networking Services

Transit Networks

Edge Networks

​1. Create a New VPC

​2. Create a Private Subnet

​3. Launch an EC2 Instance in the Private Subnet

​4. Create and Attach an Internet Gateway

​5. Create a Public Subnet

​6. Configure Route Tables

​Steps

​7. Deploy a NAT Gateway

​8. Update the Private Route Table

​9. Plan for High Availability

​Links and References

Watch Video

1. Create a New VPC

2. Create a Private Subnet

3. Launch an EC2 Instance in the Private Subnet

4. Create and Attach an Internet Gateway

5. Create a Public Subnet

6. Configure Route Tables

Steps

7. Deploy a NAT Gateway

8. Update the Private Route Table

9. Plan for High Availability

Links and References