NAT gateway for ec2 instances

Question

I have a public subnet with ec2 instnaces. The route table has 0.0.0.0/0 IGW (Internet Gateway) as default.

I tested adding a public IP address to my instance (104.27.142.41/32 as reported by curl ifconfig.co) and when I ssh to that ec2 it returns this IP address, which I expected.

1) My question is since NAT is only for outbound traffic, how they communicate when it sends request or quote to other sites?

2) If I switch IGW (internet gateway) to NAT for public subnet will it mask all outbound traffic to NAT IP address and still able to communicate with other sites?

Answer 1

Generally you will have 2 kinds of subnets in a VPC:

1. Public subnet

   • has IGW and optionally NAT
   • 0.0.0.0/0 there points to the IGW
   • hosts (EC2 instances) must have public IP or elastic IP attached as they go directly to the internet
   • hosts can be contacted from the internet on this public/elastic IP (if Security Group permits)

2. Private subnet

   • has no IGW or NAT
   • the 0.0.0.0/0 points to the NAT in the public subnet above
   • hosts only have private IP and all outbound access is "masked" to the NAT gateway IP
   • hosts can initiate connections to the internet but can't be contacted from outside as they are "hidden" behind the NAT (Network Address Translation gateway).
   • without NAT configured hosts won't have internet access

Hope that explains it :)