What is the difference between AWS Internet Gateway ( IGW ) and NAT Gateway or NAT Instance?
One very basic way of looking at the two types of access are in terms of where the initiating User or App is coming from.
-
-
-
- If the initiating User or Application is inside AWS they can use a NAT Gateway or Instance to initiate traffic OUT – it only works in one direction: OUT.
-
-
-
-
-
- Internet Gateway allows the initiating User or Application to be an external to AWS or internal to AWS and provides access to Public subnets. A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway – in this case – traffic can be initiated from both inside and outside as long as the security group or network ACL allows it.
-
-
A VPC can contain only one Internet Gateway and the route table should contain a route to the internet back to the IGW (Internet GateWay), a NAT Gateway can be defined in one or more availability zones for redundancy purposes and each NAT Gateway that requires internet access should have a route to the IGW in the VPC. A NAT Gateway is normally placed in public subnets, and a route to it can be defined in private subnets allowing traffic to be initiated from private subnets.
A more detailed and precise description of Internet Gateways, and NAT Gateways is described in the most excellent blog on AWS Routing.