Tags Archives: igw

AWS Gateways

IGW or Internet Gateway


IGW allows in/outbound traffic to internet from private subnet vpc. can be configured for in and outbound separately.



Bastion Hosts


Bastion Host is an EC2 instance in the public subnet which allows users to ssh to the bastion host and then from there to private instances on the private subnet – that is, it is connected to the private subnets as well as the public subnet but controls traffic between the two.




NAT Instances


important for exam!
these are outdated but still appear in the exam


Network Address Transation, allows Ec2 instances in private subnets to connect to the public internet


must be launched in a PUBLIC subnet and will connect public and private subnets.


must disable ec2 setting source /destination check


must have an Elastic IP attached to it


you create a security group in the public subjet for the nat instance with the eip.


this nat instance then connects to the private subnet ec2 instance and with that beyond.



NATs change the source ip of the network packets – they rewrite the packet headers that are sent out to the public internet


so the route tables must be configured to route traffic from private subnet to the nat instance.


so you have internet -> igw in the vpc -> router – connects to the AZ SG EC2 eip NAT Instance public instance

-> and from there to the private subnets beyond in the same vpc


pre configured amazon AMI for nat instance is available but is no longer supported as deprecated.


not highly available, you have to create an asg in multi az and user data script as needed


you must manage security groups and rules for the instance:



for inbound:



allow http/https traffic coming in from private subnets


allow ssh from eg home network via igw




allow https/http traffic to the internet



NATGW – NAT Gateway


– different to NAT instances


they are an AWS managed NAT service, with higher bandwidth and high availability, no admin overhead


pay per hour for usage/bandwidth


NATGW is created in a public subnet in a specified AZ and uses an EIP elastic ip


CANNOT be used by an ec2 instance in same subnet – only from other subnets


requires an IGW: private subnet -> NATGW -> IGW


5gbps bandwidth with auto scaling can get up to 45gbps


NO security groups needed to manage!



a NATGW is resilient only within a single AZ, so you have to create multiple NATGWs for multiple AZs for fault tolerance, each one has to be placed in a public subnet in each AZ and then connects to private subnet within that AZ!



aws manages the NATGW, whereas for a NAT Instance (old method) – YOU have to manage it – ie updates, patches etc.



important for exam:


unlike NAT Instances – a NATGW cannot be used as a bastion host and it does not use security groups!


and for NAT instances you must use a script to manage failover between instances, whereas NATGW is highly available within the AZ



Continue Reading