Internet Gateway and Route Table
Internet Gateway and Route Table — Where Public/Private Subnets Are Decided
Whether a subnet is "public" or "private" is decided by routing, not by labels. Once we understand how Internet Gateway (IGW), NAT Gateway, route tables, and VPC endpoints combine, the meaning of subnet design becomes clear.
1. About the building blocks
| Component | Role |
|---|---|
| Internet Gateway (IGW) | A horizontally scalable gateway that connects a VPC to the internet. Bidirectional. |
| NAT Gateway | Outbound-only NAT for private subnets. AWS managed. |
| NAT Instance | EC2-based NAT. Older · self-operated. |
| Route Table | Decides traffic destinations per subnet. |
| VPC Endpoint | A private path to AWS services (bypassing the internet). |
2. Internet Gateway
One per VPC. The IGW itself is not connected to subnets — when a route table's default route (0.0.0.0/0) points at the IGW, subnets associated with that route table become "public subnets."
There is one more requirement: the instance needs a public IP (or EIP) for inbound to work. Simply pointing the route table at the IGW does not let outside traffic in.
3. NAT Gateway · NAT Instance
Used when private-subnet instances need outbound (package downloads, external API calls). NAT does not allow inbound.
| Item | NAT Gateway | NAT Instance |
|---|---|---|
| Operations | AWS managed | Self-operated (EC2 + iptables) |
| Availability | Managed within an AZ | Single instance = SPOF |
| Throughput | Auto-scaling | Per instance spec |
| Cost | Hours + GB | EC2 hours + data |
NAT Gateway is the standard in production. NAT Instance is for cost optimization or experimentation.
4. Route Table
A route table is a collection of (destination, target) pairs.
| Destination | Target |
|---|---|
10.0.0.0/16 (VPC CIDR) |
local (auto, not deletable) |
0.0.0.0/0 |
igw-xxxx (public subnet) |
0.0.0.0/0 |
nat-xxxx (private subnet) |
pl-xxxx (S3 prefix list) |
vpce-xxxx (Gateway endpoint) |
The most specific route (longest prefix match) wins. 10.0.0.0/16 → local always exists, so traffic within the same VPC never crosses the internet.
5. The mechanics of public vs private
Public subnet
└── route table: 0.0.0.0/0 → IGW
Private subnet (with NAT)
└── route table: 0.0.0.0/0 → NAT Gateway (in public subnet)
Isolated subnet
└── route table: (no default route. same VPC only)
The NAT Gateway itself must reside in a public subnet (with an EIP attached, sending outbound through the IGW). Private subnet route tables then point their default route at that NAT's ID.
6. VPC Endpoint
A private path so traffic from the VPC to AWS services (S3 · DynamoDB · SQS · KMS) does not traverse the internet.
| Type | Notes |
|---|---|
| Gateway endpoint | S3 · DynamoDB only. Adds a prefix list to the route table. Free. |
| Interface endpoint (PrivateLink) | Most AWS services. Creates an ENI. Bills by hour and GB. |
Instead of routing private-subnet traffic to S3 through a NAT Gateway, a Gateway endpoint reduces both cost and latency.
7. Egress-only IGW (IPv6)
IPv6 has no NAT concept. To let private IPv6 send outbound only and block inbound, we use an Egress-only IGW. It is similar in meaning to IPv4's NAT Gateway, but the price and behavior differ.
8. Counterparts in other clouds
- GCP — Cloud NAT, Cloud Router, Routes. The model is similar.
- Azure — NAT Gateway, Route Tables, Service Endpoints · Private Endpoints.
The names differ, and the details differ too. Assuming the same abstraction leads to incidents.
9. Standard 3-tier VPC
VPC 10.0.0.0/16
├── Public subnets (×2 AZ): ALB, NAT Gateway
├── Private app subnets (×2 AZ): EC2/ECS/EKS
└── Private DB subnets (×2 AZ, isolated): RDS, ElastiCache
Three route tables:
| Subnet | Default route |
|---|---|
| Public | IGW |
| Private app | NAT Gateway (of that AZ) |
| Private DB | (none) |
Adding an S3 Gateway endpoint to the route table of the private app subnets reduces external egress costs.
NAT AZ distribution — A NAT Gateway is a single-AZ resource. If one AZ's NAT dies, private subnets in that AZ lose outbound. In production, place a NAT Gateway in every AZ and have each private subnet point at its own AZ's NAT.
10. Common pitfalls
No public IP — The route points at the IGW, but the instance has no public IP, so external reachability fails. Attach an EIP or enable auto-assign on the subnet.
NAT cost — Bills by both hours and processed GB. If private subnets receive a lot of large data from outside, costs accumulate. Mitigate with S3 endpoints, caching, and freezing dependencies at image-build time.
Route conflicts — Adding peering or transit gateway can send the default route to an unintended destination. Remember that the most specific prefix wins.
All private subnets through one NAT — A single AZ's NAT failure drags down other AZs. Per-AZ NAT is recommended.
Endpoint policy missing — If a Gateway endpoint policy is too broad, arbitrary buckets become reachable. Tighten with IAM and endpoint policies.
Closing thoughts
A single line in the route table changes the character of a subnet. NAT Gateway cost is one of the most discussed line items in production, so the standard pattern is to mitigate with S3 endpoints, image caches, and freezing at build time.
Next
- security-group
- ec2
VPC route tables · Internet Gateway · NAT Gateway · VPC Endpoints · Egress-only IGW · PrivateLink for reference.