Gateways in AWS play a crucial role in routing traffic between different networks, enabling secure communication, and optimizing connectivity for cloud and hybrid cloud environments. As shown in the image, AWS provides multiple gateway types, including:
- Internet Gateway (IGW)
- NAT Gateway
- Egress-Only Internet Gateway (EIGW)
Each type serves a distinct purpose in managing network traffic, particularly for IPv4 and IPv6 connectivity within Amazon Virtual Private Cloud (VPCs).
Internet Gateway (IGW)
An Internet Gateway (IGW) is a highly available AWS-managed component that enables instances in a public subnet to communicate with the internet. It provides bidirectional traffic flow, meaning resources in a public subnet can send and receive traffic from the internet.
How IGW Works
- IGW translates private IP addresses used within AWS into public IP addresses if Elastic IPs are assigned.
- It allows direct internet access for instances without requiring NAT.
- Route tables must be updated to direct outbound traffic to the IGW.
Key Features
- Supports both IPv4 and IPv6 traffic.
- Enables bidirectional communication between AWS and the internet.
- Requires instances to have public IPs or Elastic IPs (EIPs) to access the internet.
Use Cases
- Hosting public-facing applications such as web servers.
- Allowing direct internet connectivity for development and testing environments.
- Providing internet access to AWS Lambda functions or containerized applications in EKS/ECS.
Route Table Configuration for a Public Subnet
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
| 2001:db8:1234:1a00::/56 | local |
| 0.0.0.0/0 | igw-id |
| ::/0 | igw-id |
NAT Gateway
A NAT Gateway allows instances in a private subnet to access the internet while preventing the internet from initiating connections to these instances. This means instances can send requests to the internet but remain hidden from inbound traffic.
How NAT Gateway Works
- NAT Gateway only supports outbound traffic.
- It is associated with a public subnet but serves private subnets.
- It uses an Elastic IP (EIP) to allow outbound requests to the internet.
- Traffic from private subnets is routed through NAT Gateway before reaching the IGW.
Key Features
- Prevents inbound access to private instances from the internet.
- Supports IPv4 traffic only and does not work with IPv6.
- AWS-managed and scalable up to 45 Gbps throughput.
Use Cases
- Allowing private EC2 instances to download updates, access APIs, or send logs to the internet.
- Enabling private subnets to interact with internet services securely.
- Preventing external threats by restricting inbound traffic.
Route Table Configuration for a Private Subnet
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
| 2001:db8:1234:1a00::/56 | local |
| 0.0.0.0/0 | nat-gateway-id |
| ::/0 | eigw-id |
Egress-Only Internet Gateway (EIGW)
An Egress-Only Internet Gateway (EIGW) is designed specifically for IPv6 traffic. It functions similarly to a NAT Gateway but for IPv6 instances, enabling outbound communication to the internet while blocking inbound traffic.
How EIGW Works
- Unlike NAT Gateway, which only supports IPv4, EIGW exclusively supports IPv6.
- It allows instances in private subnets to initiate outbound internet connections.
- Internet-originated traffic is blocked, ensuring that IPv6 resources remain private.
Key Features
- Supports IPv6 traffic exclusively.
- Provides outbound-only access to the internet.
- Ensures security by blocking unsolicited inbound connections.
Use Cases
- Allowing IPv6-enabled private instances to communicate with the internet.
- Securing IPv6 workloads while enabling internet access for updates or API calls.
- Enabling IPv6 instances to send logs or telemetry data to external services.
Route Table Configuration for a Private Subnet with IPv6
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
| 2001:db8:1234:1a00::/56 | local |
| 0.0.0.0/0 | nat-gateway-id |
| ::/0 | eigw-id |
Comparison of AWS Gateways
| Feature | Internet Gateway (IGW) | NAT Gateway | Egress-Only Internet Gateway (EIGW) |
|---|---|---|---|
| Traffic Flow | Bidirectional (inbound & outbound) | Outbound only | Outbound only |
| Supports | IPv4 & IPv6 | IPv4 only | IPv6 only |
| Requires Elastic IP? | No | Yes | No |
| Use Case | Hosting public applications | Allowing private instances to reach the internet | IPv6-based outbound internet access |
| Security | Public instances exposed to the internet | Private instances protected from inbound traffic | Blocks inbound connections |
Conclusion
AWS provides different types of gateways to facilitate internet access, security, and network management. Choosing the right gateway depends on your network requirements:
- Use Internet Gateway (IGW) for publicly accessible instances.
- Use NAT Gateway for outbound-only internet access in private subnets.
- Use Egress-Only Internet Gateway (EIGW) for outbound IPv6 internet access.
By properly configuring route tables and security groups, you can ensure secure and efficient internet connectivity for your AWS workloads.
Top comments (1)
Very informational, upvoted