# Networking

## **What is NAT Gateway and NAT Instance**&#x20;

First: What’s NAT?

NAT = Network Address Translation.\
It lets devices in a private network talk to the internet without showing their private IP.

Think of it like:

* You (private network) want to send a letter ✉️ to a shop (internet)
* But you don’t want the shop to know your home address
* So you send it through a post office (NAT) that uses its own address

### **NAT Gateway**

* AWS-managed (you don’t manage the server)
* Scales automatically
* Fast and highly available
* Costs more
* Can only be used for outbound internet access, not inbound.

It’s like an automatic toll booth — no operator, runs 24/7, fast, but you pay AWS.

### **NAT Instance**

* Your EC2 server acting as NAT
* You manage updates, patches, scaling
* Cheaper but slower & more work
* You can customize firewall rules
* Can be used for special routing setups

It’s like a manual toll booth with a human operator — cheaper, customizable, but you must maintain it.

### **What is a VPC?**

Think of a VPC as your own private village 🏡 inside AWS. You build roads (network), houses (servers), gates (firewalls), and choose who comes in and out.

Why do we use VPC?

* To keep resources secure and organized
* To control traffic going in and out
* To segment workloads (e.g., frontend, backend, database)
* To create private zones and public zones

**VPC BASICS:**

VPC = Your private network

* Like your own mini data center in the cloud

Subnets = Smaller sections inside your VPC

* Like districts in your village
* You can make:
  * Public subnet = can talk to internet&#x20;
  * Private subnet = hidden from internet

Route Table = Road map

* Tells traffic where to go.
* Example: “If traffic is going to the internet, use the Internet Gateway.

Internet Gateway (IGW)

* Like the main gate to your village
* Lets things go to/from internet

NAT Gateway / NAT Instance

* Lets private servers go to internet, but not receive traffic back
* Like a one-way mirror

Security Groups = Firewalls for servers

* Controls who can talk to your EC2
* Example: Allow port 22 (SSH) only from your laptop IP

Network ACLs = Firewalls for subnets

* Optional, subnet-level rules
* Statelss (you must allow both in and out)

```
            +---------------------+
            |     VPC (10.0.0.0/16)|
            +----------+----------+
                       |
             +---------+---------+
             | Public Subnet     | (10.0.1.0/24)
             | - EC2             |
             | - NAT Gateway     |
             +---------+---------+
                       |
             +---------+---------+
             | Private Subnet    | (10.0.2.0/24)
             | - EC2             |
             +------------------+

```

### DEEPER CONCEPTS:

1\. VPC Peering

* Connect 2 VPCs (like 2 villages with a private road)

🛫 2. Transit Gateway

* Hub-and-spoke model to connect many VPCs & on-premises locations

🌉 3. VPC Endpoints

* Connect to AWS services like S3, DynamoDB privately (no internet)

🔒 4. VPC Flow Logs

* Logs of who talks to who in your VPC — great for security and audit

🧠 5. IPv6 Support

* For internet-scale, newer networking needs

### **What is Bastion Host?**

A bastion host is like the security guard at the gate 🛡️ of your private AWS network.

* You connect to it from the internet (using SSH).
* Then, from there, you can go inside to talk to your private EC2 servers.

So it’s a jump box — a doorway into your private network.