AWS, Cloud Computing

5 Mins Read

NAT Server on Amazon EC2


1. Overview
2. Architectural Diagram
3. Steps to Implement NAT Server
4. Why not simply place everything on a public subnet?
5. Conclusion
6. About CloudThat
7. FAQs


In modern multi-tier architectures, some applications are required to access the internet to serve users. Still, the backend services such as databases are not required to have internet access, and inbound traffic is not allowed. These backend services are placed in the private subnet, and the internet-facing applications are identified in the public subnet.

NAT server provides the functionality of NAT Gateway using the instance by our own AMI that is running on EC2 in the public subnet so that access to the private subnet is enabled from the internet by restricting the required set of access. NAT instances are more cost-effective than dedicated NAT Gateway.

Today we will see how to provide internet access to the database server that is present in the private subnet using the NAT instance.

Architecture Diagram

NAT Server Amazon EC2

Steps to Implement NAT Server

Step-1 – Create a custom VPC

NAT Server Amazon EC2

Step-2 – Create Public and Private Subnets

NAT Server Amazon EC2

Step-3 – Create Public and Private Route Tables

NAT Server Amazon EC2

Step-4 – Create an Internet Gateway and attach it to the Demo-VPC

NAT Server Amazon EC2

Step-5 – On the private route, there is no Internet access available

NAT Server Amazon EC2

Step-6 – Create a DB instance or any private instance that you don’t want any direct internet access

NAT Server Amazon EC2

Step-7 – Create a NAT server from Community AMI in AWS

NAT Server Amazon EC2

Step-8 – Make sure HTTP and HTTPS ports must be open to the Internet

NAT Server Amazon EC2

Step-9 – Make changes in source and destination check

NAT Server Amazon EC2

Step-10 – Click on the checkmark to stop the source and destination check

NAT Server Amazon EC2

Step-11 – Now add the instance id in the private route table to access the internet from the NAT server

NAT Server Amazon EC2

Step-12 – Now SSH into the private instance using Bastion Host and try to ping

NAT Server Amazon EC2

Why not simply place everything on a public subnet?

We hear frequently and have considered this, particularly in non-critical contexts. It would fix the problem, and we would no longer require a NAT instance or NAT Gateway because each instance or service would have its own public IP address. We have decided against it for two key reasons.


We have seen the utility of NAT Gateways, it offers outbound traffic for private subnet machines/instances, which is required for downloading packages, installing patches, and software updates, among other things.

Another advantage of employing NAT Gateway is that it is very simple to add or remove it, i.e., by removing/adding a route to NAT Gateway from the routing table that is depending on our needs.

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding the NAT server, NAT instance, or Amazon services, and I will get back to you quickly. To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat’s offerings.


Q1. Is it possible to move the NAT instance to the NAT Gateway?

Ans: You may construct a NAT gateway in the same subnet as your NAT instance and then replace the current route in your route table that refers to the NAT instance with the NAT gateway route.

Q2. What is the difference between a NAT gateway and a NAT instance?

Ans: When a connection times out, a NAT gateway sends an RST packet to any resources trying to maintain the connection behind the NAT gateway (it does not send a FIN packet). When a connection times out, a NAT instance closes the connection by sending a FIN packet to resources behind the NAT instance.

Q3. Which is more cost-effective: a NAT gateway or a NAT instance?

Ans: Since AWS charges cross-AZ traffic within your VPC, you will generally want one for each availability zone. However, the cost of the NAT Instances will be cheaper than the cost of a NAT Gateway if you are pushing enough traffic.

WRITTEN BY Cherukula Bhanu Prakash Reddy



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!