Bird
Raised Fist0
AWScloud~5 mins

NAT Gateway for private subnet internet in AWS - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a NAT Gateway in AWS?
A NAT Gateway is a service that allows instances in a private subnet to access the internet or other AWS services, while preventing inbound internet traffic to those instances.
Click to reveal answer
beginner
Why do private subnets need a NAT Gateway to access the internet?
Private subnets do not have direct internet access. A NAT Gateway enables outbound internet traffic from private subnets by routing requests through it, while keeping the subnet secure from inbound internet traffic.
Click to reveal answer
intermediate
Where should you place a NAT Gateway in your AWS VPC?
You should place the NAT Gateway in a public subnet with a route to an Internet Gateway. This allows it to forward traffic from private subnets to the internet.
Click to reveal answer
intermediate
How do you configure route tables for private subnets to use a NAT Gateway?
In the private subnet's route table, add a default route (0.0.0.0/0) that points to the NAT Gateway's ID. This directs outbound internet traffic through the NAT Gateway.
Click to reveal answer
advanced
What is the difference between a NAT Gateway and a NAT Instance?
A NAT Gateway is a managed AWS service that is highly available and scales automatically. A NAT Instance is a user-managed EC2 instance that requires manual scaling and maintenance.
Click to reveal answer
Where should a NAT Gateway be placed in an AWS VPC?
AIn a private subnet
BIn a VPN Gateway
CIn the Internet Gateway
DIn a public subnet
What does a NAT Gateway allow instances in a private subnet to do?
AAccess the internet for outbound traffic
BDirectly connect to other VPCs
CReceive inbound internet traffic
DHost public websites
Which route should be added to a private subnet's route table to use a NAT Gateway?
A0.0.0.0/0 to NAT Gateway
BSpecific IP range to NAT Gateway
CLocal route only
D0.0.0.0/0 to Internet Gateway
What is a key advantage of using a NAT Gateway over a NAT Instance?
ARuns on EC2 instances
BRequires manual scaling
CIs managed and scales automatically
DAllows inbound internet traffic
Can a NAT Gateway be used to allow inbound internet traffic to private subnet instances?
AYes, it allows inbound traffic
BNo, it only allows outbound traffic
COnly if configured with security groups
DOnly for HTTPS traffic
Explain how a NAT Gateway enables internet access for instances in a private subnet.
Think about where the NAT Gateway lives and how routes direct traffic.
You got /4 concepts.
    Describe the differences between a NAT Gateway and a NAT Instance in AWS.
    Consider ease of use and reliability.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of a NAT Gateway in AWS for private subnets?
      easy
      A. To block all internet traffic from private subnets
      B. To provide direct internet access to public subnets
      C. To assign public IP addresses to private subnet instances
      D. To allow instances in private subnets to access the internet securely

      Solution

      1. Step 1: Understand NAT Gateway role

        A NAT Gateway enables instances in private subnets to initiate outbound internet traffic while preventing inbound internet connections.

      2. Step 2: Compare options

        Only To allow instances in private subnets to access the internet securely correctly describes this purpose; others describe unrelated or incorrect functions.

      3. Final Answer:

        To allow instances in private subnets to access the internet securely -> Option D

      4. Quick Check:

        NAT Gateway purpose = Allow private subnet internet access [OK]
      Hint: NAT Gateway = private subnet internet access [OK]
      Common Mistakes:
      • Confusing NAT Gateway with Internet Gateway
      • Thinking NAT Gateway assigns public IPs
      • Believing NAT Gateway blocks internet traffic
      2. Which AWS resource must a NAT Gateway be associated with to provide internet access for private subnets?
      easy
      A. An Elastic IP in a public subnet
      B. A private IP in a private subnet
      C. A security group allowing inbound SSH
      D. A VPC endpoint for S3

      Solution

      1. Step 1: Identify NAT Gateway placement

        NAT Gateway must be placed in a public subnet and associated with an Elastic IP to route internet traffic.

      2. Step 2: Evaluate options

        Only An Elastic IP in a public subnet correctly states the Elastic IP in a public subnet; others are unrelated or incorrect.

      3. Final Answer:

        An Elastic IP in a public subnet -> Option A

      4. Quick Check:

        NAT Gateway needs Elastic IP in public subnet [OK]
      Hint: NAT Gateway needs Elastic IP in public subnet [OK]
      Common Mistakes:
      • Placing NAT Gateway in private subnet
      • Associating NAT Gateway with private IP
      • Confusing security groups with subnet placement
      3. Given a private subnet with route table entry 0.0.0.0/0 -> NAT Gateway, what happens when an instance in this subnet tries to access the internet?
      medium
      A. Traffic is blocked because private subnets cannot access the internet
      B. Traffic goes directly to the Internet Gateway
      C. Traffic is routed through the NAT Gateway to the internet
      D. Traffic is routed to the VPC endpoint

      Solution

      1. Step 1: Analyze route table entry

        The route 0.0.0.0/0 -> NAT Gateway directs all internet-bound traffic from the private subnet to the NAT Gateway.

      2. Step 2: Understand traffic flow

        The NAT Gateway forwards traffic to the internet, allowing outbound access while hiding private IPs.

      3. Final Answer:

        Traffic is routed through the NAT Gateway to the internet -> Option C

      4. Quick Check:

        Route 0.0.0.0/0 to NAT Gateway = internet access [OK]
      Hint: Route 0.0.0.0/0 to NAT Gateway = internet access [OK]
      Common Mistakes:
      • Assuming private subnet traffic goes directly to Internet Gateway
      • Thinking private subnet traffic is blocked by default
      • Confusing VPC endpoint with internet routing
      4. You created a NAT Gateway in a public subnet but instances in the private subnet cannot access the internet. What is the most likely cause?
      medium
      A. The private subnet has a public IP assigned
      B. The private subnet route table does not have a route to the NAT Gateway
      C. The Internet Gateway is not attached to the VPC
      D. The NAT Gateway is missing an Elastic IP

      Solution

      1. Step 1: Check route table configuration

        Instances in private subnets need a route directing internet traffic (0.0.0.0/0) to the NAT Gateway.

      2. Step 2: Identify missing route issue

        If this route is missing, traffic won't reach the NAT Gateway, causing no internet access.

      3. Final Answer:

        The private subnet route table does not have a route to the NAT Gateway -> Option B

      4. Quick Check:

        Missing route to NAT Gateway = no internet [OK]
      Hint: Check private subnet route table for NAT Gateway route [OK]
      Common Mistakes:
      • Ignoring route table routes
      • Assuming Elastic IP is optional
      • Confusing Internet Gateway attachment with NAT Gateway routing
      5. You want to allow instances in a private subnet to access the internet for software updates but prevent inbound internet traffic. Which setup is correct?
      hard
      A. Place a NAT Gateway in a public subnet with an Elastic IP and route private subnet traffic (0.0.0.0/0) to it
      B. Assign public IPs to private subnet instances and route traffic through the Internet Gateway
      C. Place a NAT Gateway in the private subnet and route traffic to it
      D. Use a VPC endpoint for internet access

      Solution

      1. Step 1: Understand NAT Gateway placement and function

        NAT Gateway must be in a public subnet with an Elastic IP to allow outbound internet access for private subnet instances without exposing them to inbound traffic.

      2. Step 2: Evaluate options for security and functionality

        Place a NAT Gateway in a public subnet with an Elastic IP and route private subnet traffic (0.0.0.0/0) to it correctly describes this setup. Assign public IPs to private subnet instances and route traffic through the Internet Gateway exposes instances publicly. Place a NAT Gateway in the private subnet and route traffic to it places NAT Gateway incorrectly. Use a VPC endpoint for internet access does not provide internet access.

      3. Final Answer:

        Place a NAT Gateway in a public subnet with an Elastic IP and route private subnet traffic (0.0.0.0/0) to it -> Option A

      4. Quick Check:

        NAT Gateway in public subnet + route private subnet = secure internet access [OK]
      Hint: NAT Gateway in public subnet with route from private subnet [OK]
      Common Mistakes:
      • Assigning public IPs to private subnet instances
      • Placing NAT Gateway in private subnet
      • Using VPC endpoint for general internet access