Bird
Raised Fist0
AWScloud~5 mins

NAT Gateway for private subnet internet in AWS - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes, servers in a private network need to access the internet without exposing themselves directly. A NAT Gateway helps these private servers connect to the internet safely by acting as a middleman.
When you have servers in a private subnet that need to download updates or access external services.
When you want to keep your database servers private but allow them to reach the internet for backups.
When you want to control internet access for private resources without giving them public IP addresses.
When you want to improve security by isolating private servers from direct internet exposure.
When you need a scalable and managed way to provide internet access to private subnets.
Config File - main.tf
main.tf
provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc" "example" {
  cidr_block = "10.0.0.0/16"
  tags = {
    Name = "example-vpc"
  }
}

resource "aws_subnet" "public" {
  vpc_id            = aws_vpc.example.id
  cidr_block        = "10.0.1.0/24"
  map_public_ip_on_launch = true
  availability_zone = "us-east-1a"
  tags = {
    Name = "public-subnet"
  }
}

resource "aws_subnet" "private" {
  vpc_id            = aws_vpc.example.id
  cidr_block        = "10.0.2.0/24"
  availability_zone = "us-east-1a"
  tags = {
    Name = "private-subnet"
  }
}

resource "aws_internet_gateway" "gw" {
  vpc_id = aws_vpc.example.id
  tags = {
    Name = "example-igw"
  }
}

resource "aws_eip" "nat" {
  vpc = true
  tags = {
    Name = "example-nat-eip"
  }
}

resource "aws_nat_gateway" "nat" {
  allocation_id = aws_eip.nat.id
  subnet_id     = aws_subnet.public.id
  tags = {
    Name = "example-nat-gateway"
  }
}

resource "aws_route_table" "public" {
  vpc_id = aws_vpc.example.id
  tags = {
    Name = "public-route-table"
  }
}

resource "aws_route_table_association" "public_assoc" {
  subnet_id      = aws_subnet.public.id
  route_table_id = aws_route_table.public.id
}

resource "aws_route" "public_internet_access" {
  route_table_id         = aws_route_table.public.id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_internet_gateway.gw.id
}

resource "aws_route_table" "private" {
  vpc_id = aws_vpc.example.id
  tags = {
    Name = "private-route-table"
  }
}

resource "aws_route_table_association" "private_assoc" {
  subnet_id      = aws_subnet.private.id
  route_table_id = aws_route_table.private.id
}

resource "aws_route" "private_nat_gateway" {
  route_table_id         = aws_route_table.private.id
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.nat.id
}

This Terraform file creates a VPC with one public and one private subnet. It sets up an Internet Gateway for the public subnet and a NAT Gateway in the public subnet with an Elastic IP. The public route table routes internet traffic to the Internet Gateway. The private route table routes internet traffic through the NAT Gateway, allowing private subnet resources to access the internet safely.

Commands
This command initializes Terraform, downloading necessary plugins and preparing the working directory.
Terminal
terraform init
Expected OutputExpected
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure.
This command applies the Terraform configuration, creating all the resources defined in the file automatically without asking for confirmation.
Terminal
terraform apply -auto-approve
Expected OutputExpected
aws_vpc.example: Creating... aws_vpc.example: Creation complete after 2s [id=vpc-0abcd1234efgh5678] aws_subnet.public: Creating... aws_subnet.private: Creating... aws_subnet.public: Creation complete after 1s [id=subnet-0abcd1234efgh5678] aws_subnet.private: Creation complete after 1s [id=subnet-0abcd1234efgh5679] aws_internet_gateway.gw: Creating... aws_eip.nat: Creating... aws_internet_gateway.gw: Creation complete after 1s [id=igw-0abcd1234efgh5678] aws_eip.nat: Creation complete after 1s [id=eipalloc-0abcd1234efgh5678] aws_nat_gateway.nat: Creating... aws_nat_gateway.nat: Creation complete after 30s [id=nat-0abcd1234efgh5678] aws_route_table.public: Creating... aws_route_table.private: Creating... aws_route_table.public: Creation complete after 1s [id=rtb-0abcd1234efgh5678] aws_route_table.private: Creation complete after 1s [id=rtb-0abcd1234efgh5679] aws_route_table_association.public_assoc: Creating... aws_route_table_association.private_assoc: Creating... aws_route_table_association.public_assoc: Creation complete after 1s [id=rtbassoc-0abcd1234efgh5678] aws_route_table_association.private_assoc: Creation complete after 1s [id=rtbassoc-0abcd1234efgh5679] aws_route.public_internet_access: Creating... aws_route.private_nat_gateway: Creating... aws_route.public_internet_access: Creation complete after 1s [id=r-rtb-0abcd1234efgh5678_0] aws_route.private_nat_gateway: Creation complete after 1s [id=r-rtb-0abcd1234efgh5679_0] Apply complete! Resources: 13 added, 0 changed, 0 destroyed.
-auto-approve - Automatically approve the apply without interactive confirmation
This AWS CLI command checks the NAT Gateway created in the VPC to verify it exists and is available.
Terminal
aws ec2 describe-nat-gateways --filter Name=vpc-id,Values=vpc-0abcd1234efgh5678
Expected OutputExpected
{ "NatGateways": [ { "NatGatewayId": "nat-0abcd1234efgh5678", "VpcId": "vpc-0abcd1234efgh5678", "State": "available", "SubnetId": "subnet-0abcd1234efgh5678", "NatGatewayAddresses": [ { "PublicIp": "54.210.123.45", "AllocationId": "eipalloc-0abcd1234efgh5678" } ] } ] }
--filter - Filters the NAT Gateways by VPC ID
This command lists the route tables in the VPC to confirm the private subnet routes internet traffic through the NAT Gateway.
Terminal
aws ec2 describe-route-tables --filters Name=vpc-id,Values=vpc-0abcd1234efgh5678
Expected OutputExpected
{ "RouteTables": [ { "RouteTableId": "rtb-0abcd1234efgh5679", "VpcId": "vpc-0abcd1234efgh5678", "Routes": [ { "DestinationCidrBlock": "10.0.0.0/16", "GatewayId": "local", "State": "active", "Origin": "CreateRouteTable" }, { "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": "nat-0abcd1234efgh5678", "State": "active", "Origin": "CreateRoute" } ] } ] }
--filters - Filters route tables by VPC ID
Key Concept

If you remember nothing else from this pattern, remember: a NAT Gateway lets private subnet servers safely access the internet without exposing them directly.

Common Mistakes
Placing the NAT Gateway in the private subnet instead of the public subnet
The NAT Gateway needs a public IP to route traffic to the internet, which private subnets do not have.
Always create the NAT Gateway in a public subnet that has internet access.
Not updating the private subnet's route table to use the NAT Gateway
Without this route, private subnet servers cannot send internet-bound traffic through the NAT Gateway.
Add a route in the private subnet's route table directing 0.0.0.0/0 traffic to the NAT Gateway.
Not allocating an Elastic IP for the NAT Gateway
The NAT Gateway requires an Elastic IP to have a stable public IP address for internet access.
Create and associate an Elastic IP with the NAT Gateway.
Summary
Initialize Terraform to prepare the environment with 'terraform init'.
Apply the configuration to create VPC, subnets, Internet Gateway, NAT Gateway, and route tables with 'terraform apply -auto-approve'.
Verify the NAT Gateway exists and is available using AWS CLI.
Check that the private subnet route table directs internet traffic through the NAT Gateway.

Practice

(1/5)
1. What is the main purpose of a NAT Gateway in AWS for private subnets?
easy
A. To block all internet traffic from private subnets
B. To provide direct internet access to public subnets
C. To assign public IP addresses to private subnet instances
D. To allow instances in private subnets to access the internet securely

Solution

  1. Step 1: Understand NAT Gateway role

    A NAT Gateway enables instances in private subnets to initiate outbound internet traffic while preventing inbound internet connections.

  2. Step 2: Compare options

    Only To allow instances in private subnets to access the internet securely correctly describes this purpose; others describe unrelated or incorrect functions.

  3. Final Answer:

    To allow instances in private subnets to access the internet securely -> Option D

  4. Quick Check:

    NAT Gateway purpose = Allow private subnet internet access [OK]
Hint: NAT Gateway = private subnet internet access [OK]
Common Mistakes:
  • Confusing NAT Gateway with Internet Gateway
  • Thinking NAT Gateway assigns public IPs
  • Believing NAT Gateway blocks internet traffic
2. Which AWS resource must a NAT Gateway be associated with to provide internet access for private subnets?
easy
A. An Elastic IP in a public subnet
B. A private IP in a private subnet
C. A security group allowing inbound SSH
D. A VPC endpoint for S3

Solution

  1. Step 1: Identify NAT Gateway placement

    NAT Gateway must be placed in a public subnet and associated with an Elastic IP to route internet traffic.

  2. Step 2: Evaluate options

    Only An Elastic IP in a public subnet correctly states the Elastic IP in a public subnet; others are unrelated or incorrect.

  3. Final Answer:

    An Elastic IP in a public subnet -> Option A

  4. Quick Check:

    NAT Gateway needs Elastic IP in public subnet [OK]
Hint: NAT Gateway needs Elastic IP in public subnet [OK]
Common Mistakes:
  • Placing NAT Gateway in private subnet
  • Associating NAT Gateway with private IP
  • Confusing security groups with subnet placement
3. Given a private subnet with route table entry 0.0.0.0/0 -> NAT Gateway, what happens when an instance in this subnet tries to access the internet?
medium
A. Traffic is blocked because private subnets cannot access the internet
B. Traffic goes directly to the Internet Gateway
C. Traffic is routed through the NAT Gateway to the internet
D. Traffic is routed to the VPC endpoint

Solution

  1. Step 1: Analyze route table entry

    The route 0.0.0.0/0 -> NAT Gateway directs all internet-bound traffic from the private subnet to the NAT Gateway.

  2. Step 2: Understand traffic flow

    The NAT Gateway forwards traffic to the internet, allowing outbound access while hiding private IPs.

  3. Final Answer:

    Traffic is routed through the NAT Gateway to the internet -> Option C

  4. Quick Check:

    Route 0.0.0.0/0 to NAT Gateway = internet access [OK]
Hint: Route 0.0.0.0/0 to NAT Gateway = internet access [OK]
Common Mistakes:
  • Assuming private subnet traffic goes directly to Internet Gateway
  • Thinking private subnet traffic is blocked by default
  • Confusing VPC endpoint with internet routing
4. You created a NAT Gateway in a public subnet but instances in the private subnet cannot access the internet. What is the most likely cause?
medium
A. The private subnet has a public IP assigned
B. The private subnet route table does not have a route to the NAT Gateway
C. The Internet Gateway is not attached to the VPC
D. The NAT Gateway is missing an Elastic IP

Solution

  1. Step 1: Check route table configuration

    Instances in private subnets need a route directing internet traffic (0.0.0.0/0) to the NAT Gateway.

  2. Step 2: Identify missing route issue

    If this route is missing, traffic won't reach the NAT Gateway, causing no internet access.

  3. Final Answer:

    The private subnet route table does not have a route to the NAT Gateway -> Option B

  4. Quick Check:

    Missing route to NAT Gateway = no internet [OK]
Hint: Check private subnet route table for NAT Gateway route [OK]
Common Mistakes:
  • Ignoring route table routes
  • Assuming Elastic IP is optional
  • Confusing Internet Gateway attachment with NAT Gateway routing
5. You want to allow instances in a private subnet to access the internet for software updates but prevent inbound internet traffic. Which setup is correct?
hard
A. Place a NAT Gateway in a public subnet with an Elastic IP and route private subnet traffic (0.0.0.0/0) to it
B. Assign public IPs to private subnet instances and route traffic through the Internet Gateway
C. Place a NAT Gateway in the private subnet and route traffic to it
D. Use a VPC endpoint for internet access

Solution

  1. Step 1: Understand NAT Gateway placement and function

    NAT Gateway must be in a public subnet with an Elastic IP to allow outbound internet access for private subnet instances without exposing them to inbound traffic.

  2. Step 2: Evaluate options for security and functionality

    Place a NAT Gateway in a public subnet with an Elastic IP and route private subnet traffic (0.0.0.0/0) to it correctly describes this setup. Assign public IPs to private subnet instances and route traffic through the Internet Gateway exposes instances publicly. Place a NAT Gateway in the private subnet and route traffic to it places NAT Gateway incorrectly. Use a VPC endpoint for internet access does not provide internet access.

  3. Final Answer:

    Place a NAT Gateway in a public subnet with an Elastic IP and route private subnet traffic (0.0.0.0/0) to it -> Option A

  4. Quick Check:

    NAT Gateway in public subnet + route private subnet = secure internet access [OK]
Hint: NAT Gateway in public subnet with route from private subnet [OK]
Common Mistakes:
  • Assigning public IPs to private subnet instances
  • Placing NAT Gateway in private subnet
  • Using VPC endpoint for general internet access