During a few of my AWS Cloud infrastructure build outs, client team members tend to wonder and ask why I use both Internet Gateway service, as well as a NAT Gateway service when setting up the network layer of the environment. Some with advanced networking knowledge made a point stating that we could skip the NAT configuration, and use the Internet Gateway service for all Internet access, which technically is true, and can be done. As a matter of fact, for smaller configurations with limited complexity requirements, that is a common practice; a single Internet Gateway service for all ingress/egress Internet traffic.

But why is that in other complex and large environments, especially where security is of a high concern, we tend to use different internet facing Gateway services? and what is the benefit of doing so?

In an Amazon Web Services (AWS) environment, both NAT Gateways and Internet Gateways play vital roles in managing how resources within a Virtual Private Cloud (VPC) communicate with the internet. However, they serve very different purposes and are used in distinct networking scenarios. Understanding the function of each helps ensure that your cloud architecture is both secure and efficient. At a high level, an Internet Gateway enables internet access for resources that are publicly accessible, while a NAT Gateway allows instances in private subnets to initiate outbound internet connections without exposing themselves to inbound traffic from the internet.

What is an Internet Gateway (IGW)?

An Internet Gateway (IGW) is a horizontally scaled, highly available AWS-managed component that allows instances in a VPC to connect directly to the internet. It acts as a target for public subnets’ route tables, enabling resources such as web servers, APIs, or load balancers to communicate with the outside world. When an EC2 instance in a public subnet has an Elastic IP or a public IP address, the Internet Gateway facilitates bidirectional communication, meaning external users can initiate connections to the instance, and the instance can also make outbound requests.

This is a common 1:1 mapping between an internal device (with a private IP address), and a public IP address (in most cases, provisioned on a firewall). Through this mapping, with the appropriate ports punched through the firewall (such as TCP 80/443 for web/HTTP, or TCP/22 for SSH), an internet based device can communicate with the internal device directly via the public IP address.

So then what is a NAT Gateway?

A NAT Gateway (Network Address Translation Gateway) is used to enable outbound internet access for resources in private subnets while maintaining their isolation from inbound connections. Instances in private subnets typically do not have public IP addresses for security reasons, meaning they cannot directly communicate with the internet. The NAT Gateway, deployed in a public subnet and associated with an Elastic IP address, acts as an intermediary, translating private IP addresses to the public Elastic IP when sending traffic out. When the response returns, the NAT Gateway translates it back and forwards it to the originating private instance. This setup is commonly used for private application servers or database servers that need to download updates or access external APIs securely.

Think of a typical home wifi router for example; this is pretty much a NAT configuration, where computers, laptops, smart devices throughout the house access the internet, however without exposing direct access from the internet to themselves. This configuration inherently adds a security layer protecting internet-enabled devices inside a home.

From an AWS perspective, a NAT Gateway comes in play when various resources and services need Internet access without the direct exposure. Services such as RDS, Lambda, and in many cases EC2 servers with no need of inbound public access.

So the main differences are…

The key difference between an Internet Gateway and a NAT Gateway lies in the direction and type of traffic they handle. The Internet Gateway supports both inbound and outbound traffic for resources with public IPs, effectively exposing them to the internet, while the NAT Gateway supports only outbound traffic for resources with private IPs, ensuring they remain inaccessible from the internet.

Now, another thing to keep in mind, and this is specific to AWS (and maybe some other cloud providers), that an Internet Gateway is typically made available at no cost, except for data transfer charges, wheres a NAT Gateway may have a recurring cost. Though, this is not something to be leveraged when comparing technical aspects of these two services; just something to be aware of.

Ok, so for my 3-tier environment, what do I use?

Good question. In a simple design 3-tier configuration, all components can be configured with an Internet Gateway, with only select ports opened up on the firewall. For example:

• Web server – configured with an Internet Gateway (egress + ingress TCP 80/443)
• Application server – configured with an Internet Gateway (egress only)
• Database server – configured with an Internet Gateway (egress only)

Notice the ingress is only applicable to the web server, meaning that on the firewall (Internet Gateway), the public IP assigned to the web server accepts inbound requests on ports TCP/80 and TCP/443). However, this also means that the Application server and the Database server have public IP addresses assigned, and are configured on the firewall (Internet Gateway), only with no inbound ports open. This poses an elevated security risk, as a misconfiguration may expose these servers to the internet, not to mention the extra two public IP addresses provisioned but not used for inbound (reserved but not utilized IP addresses).

With cost implications put aside, a better configuration would be something like this:

• Web server – Internet Gateway (egress + ingress TCP 80/443)
• Application server – NAT (egress only)
• Database server – NAT (egress only)

This configuration only utilizes a single reserved public IP address for the purposes of serving web pages from the web server. The Application server and Database server can still reach out to the internet via the NAT Gateway, however are not exposed to the public internet, and the Internet Gateway is unaware of these two internal servers. This inherently applies a layer of protection to the Application server and the Database server.

Both, the Internet Gateway and NAT Gateway are essential components of networking, but they serve different security and connectivity roles. The Internet gateway provides the “front door” to the internet for publicly accessible services, while the NAT gateway provides a secure “exit-only door” for private resources to reach out without being reached. Together, they form a balanced architecture that supports both public accessibility and private isolation; key pillars of a well-architected AWS network design.