Networking

What is NAT Gateway and NAT Instance

First: What’s NAT?

NAT = Network Address Translation. It lets devices in a private network talk to the internet without showing their private IP.

Think of it like:

• You (private network) want to send a letter ✉️ to a shop (internet)

• But you don’t want the shop to know your home address

• So you send it through a post office (NAT) that uses its own address

NAT Gateway

• AWS-managed (you don’t manage the server)

• Scales automatically

• Fast and highly available

• Costs more

• Can only be used for outbound internet access, not inbound.

It’s like an automatic toll booth — no operator, runs 24/7, fast, but you pay AWS.

NAT Instance

• Your EC2 server acting as NAT

• You manage updates, patches, scaling

• Cheaper but slower & more work

• You can customize firewall rules

• Can be used for special routing setups

It’s like a manual toll booth with a human operator — cheaper, customizable, but you must maintain it.

What is a VPC?

Think of a VPC as your own private village 🏡 inside AWS. You build roads (network), houses (servers), gates (firewalls), and choose who comes in and out.

Why do we use VPC?

• To keep resources secure and organized

• To control traffic going in and out

• To segment workloads (e.g., frontend, backend, database)

• To create private zones and public zones

VPC BASICS:

VPC = Your private network

• Like your own mini data center in the cloud

Subnets = Smaller sections inside your VPC

• Like districts in your village

• You can make:

  • Public subnet = can talk to internet

  • Private subnet = hidden from internet

Route Table = Road map

• Tells traffic where to go.

• Example: “If traffic is going to the internet, use the Internet Gateway.

Internet Gateway (IGW)

• Like the main gate to your village

• Lets things go to/from internet

NAT Gateway / NAT Instance

• Lets private servers go to internet, but not receive traffic back

• Like a one-way mirror

Security Groups = Firewalls for servers

• Controls who can talk to your EC2

• Example: Allow port 22 (SSH) only from your laptop IP

Network ACLs = Firewalls for subnets

• Optional, subnet-level rules

• Statelss (you must allow both in and out)

            +---------------------+
            |     VPC (10.0.0.0/16)|
            +----------+----------+
                       |
             +---------+---------+
             | Public Subnet     | (10.0.1.0/24)
             | - EC2             |
             | - NAT Gateway     |
             +---------+---------+
                       |
             +---------+---------+
             | Private Subnet    | (10.0.2.0/24)
             | - EC2             |
             +------------------+

DEEPER CONCEPTS:

1. VPC Peering

• Connect 2 VPCs (like 2 villages with a private road)

🛫 2. Transit Gateway

• Hub-and-spoke model to connect many VPCs & on-premises locations

🌉 3. VPC Endpoints

• Connect to AWS services like S3, DynamoDB privately (no internet)

🔒 4. VPC Flow Logs

• Logs of who talks to who in your VPC — great for security and audit

🧠 5. IPv6 Support

• For internet-scale, newer networking needs

What is Bastion Host?

A bastion host is like the security guard at the gate 🛡️ of your private AWS network.

• You connect to it from the internet (using SSH).

• Then, from there, you can go inside to talk to your private EC2 servers.

So it’s a jump box — a doorway into your private network.