AWSGlossary

Internet Gateway (IGW): What It Is and When to Use It

Definition

An Amazon Web Services (AWS) Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available Virtual Private Cloud (VPC) component that allows communication between your VPC and the internet. It is a foundational networking object that serves as a target in your VPC route tables for internet-routable traffic, enabling resources like Amazon EC2 instances to connect to the internet and be reached from the internet.

How It Works

An Internet Gateway provides a two-way bridge for network traffic between the internet and your VPC. For resources within a VPC to gain internet access, a specific set of configurations must be in place:

  1. Create and Attach the IGW: First, you create an Internet Gateway and then attach it to your desired VPC. A VPC can have only one IGW attached at a time, and an IGW can be attached to only one VPC.

  2. Create a Public Subnet: A subnet's designation as "public" or "private" is determined by its route table. A public subnet is one whose associated route table has a route to an Internet Gateway.

  3. Configure the Route Table: You must add a route to the subnet's route table that directs internet-bound traffic to the IGW. This is typically configured with a destination of 0.0.0.0/0 for IPv4 traffic and ::/0 for IPv6 traffic, with the IGW as the target.

  4. Assign a Public IP Address: For an Amazon EC2 instance within the public subnet to communicate with the internet, it must have a public IPv4 address (such as an Elastic IP address or an auto-assigned public IP) or an IPv6 address.

  5. Configure Security: Both Security Groups (stateful firewalls for instances) and Network Access Control Lists (NACLs, stateless firewalls for subnets) must be configured to allow the desired inbound and outbound traffic to and from the internet.

When an instance in a public subnet sends traffic to the internet, the traffic flows to the VPC router, which consults the route table. The 0.0.0.0/0 route directs the traffic to the IGW. The IGW then performs Network Address Translation (NAT) for IPv4 traffic, translating the instance's private IP address to its public IP address before sending the traffic to the internet. For inbound traffic, the IGW performs the reverse translation and forwards the traffic to the instance.

Key Features and Limits

  • High Availability and Scalability: The IGW is a fully managed AWS service that is horizontally scaled, redundant, and highly available. It does not create a bandwidth constraint on your network traffic.
  • IPv4 and IPv6 Support: It supports both IPv4 and IPv6 traffic, enabling dual-stack VPC configurations.
  • Network Address Translation (NAT): For IPv4, the IGW performs the one-to-one NAT function that maps an instance's private IP to its associated public or Elastic IP address.
  • No Bandwidth Constraints: AWS states that the IGW does not cause availability risks or bandwidth constraints on your network traffic. However, there are bandwidth limits for multi-flow traffic from an instance through an IGW, which is typically 5 Gbps or 50% of the instance's available bandwidth, whichever is larger.

Service Quotas (as of 2026):

  • Internet Gateways per Region: 5 (This is a soft limit and can be increased. It is tied to the number of VPCs per Region).
  • Internet Gateways per VPC: 1. You can only attach one IGW to a VPC at a time.

Common Use Cases

  • Hosting Public Web Applications: An IGW is essential for any application, such as a web server or API endpoint, that needs to accept inbound traffic directly from the internet.
  • Providing Direct Outbound Internet Access: Allows EC2 instances to connect to the internet to download software updates, pull from code repositories, or connect to external APIs.
  • Enabling Bastion Hosts / Jump Boxes: To provide secure, controlled administrative access (via SSH or RDP) to instances in private subnets, a bastion host is placed in a public subnet, which requires an IGW for connectivity.
  • Supporting NAT Gateways: A NAT Gateway must be placed in a public subnet with a route to an IGW to provide outbound-only internet access for resources in private subnets.

Pricing Model

There is no charge for creating or using an Internet Gateway itself. However, standard AWS data transfer charges apply for all data transferred out from your EC2 instances to the internet through the IGW. Data transfer into your EC2 instances from the internet is free.

For detailed and current pricing, always refer to the Amazon EC2 On-Demand Pricing page under the "Data Transfer" section.

Pros and Cons

Pros:

  • Fully Managed: AWS handles all the scaling, redundancy, and availability, removing operational overhead.
  • No Direct Cost: The resource itself is free, you only pay for outbound data transfer.
  • High Performance: Designed to be non-blocking and not a bottleneck for your VPC's internet traffic.
  • Simple to Configure: Setting up an IGW and a corresponding route is a straightforward process.

Cons:

  • Direct Exposure: Resources in a public subnet are directly exposed to the internet, which necessitates meticulous configuration of Security Groups and NACLs to prevent unauthorized access.
  • Requires Public IPs: For IPv4, instances must have a public IP address to use the IGW, which can sometimes be a limited resource.
  • VPC-Scoped: An IGW is tied to a single VPC and cannot be shared.

Comparison with Alternatives

Internet Gateway vs. NAT Gateway:

The most common point of comparison is with a NAT (Network Address Translation) Gateway.

  • Directionality: An IGW allows for bidirectional traffic (inbound and outbound). A NAT Gateway allows for outbound-only traffic; instances in a private subnet can initiate connections to the internet, but the internet cannot initiate connections to them.
  • Use Case: Use an IGW for resources that need to be publicly accessible, like web servers. Use a NAT Gateway for resources in private subnets, like databases or backend application servers, that need to download updates or call external APIs without being exposed to inbound connections.
  • IP Address Requirement: An IGW requires the instance to have its own public IP address. A NAT Gateway uses its own Elastic IP address and allows many private instances to share it for outbound traffic.
  • Cost: The IGW itself is free. A NAT Gateway has an hourly charge and a per-GB data processing fee, in addition to standard outbound data transfer costs.

Exam Relevance

Understanding the Internet Gateway is fundamental for several AWS certifications. It is a core networking concept tested in:

  • AWS Certified Cloud Practitioner (CLF-C02): Basic understanding of its purpose and role in a VPC.
  • AWS Certified Solutions Architect – Associate (SAA-C03): Deeper knowledge of its configuration, its relationship with route tables and public/private subnets, and the distinction between an IGW and a NAT Gateway.
  • AWS Certified SysOps Administrator – Associate (SOA-C02): Practical knowledge of troubleshooting connectivity issues related to IGWs, route tables, and security groups.
  • AWS Certified Advanced Networking – Specialty (ANS-C01): In-depth understanding of traffic flow, security implications, and its role in complex network architectures.

Examinees must know how to create and attach an IGW, configure a route table to make a subnet public, and understand the security implications of doing so.

Frequently Asked Questions

Q: What is the difference between an Internet Gateway and a NAT Gateway?

A: An Internet Gateway (IGW) enables two-way communication between your VPC and the internet, requiring resources to have public IP addresses to be reachable. A NAT Gateway enables one-way, outbound-only communication for resources in private subnets, allowing them to access the internet while preventing the internet from initiating connections to them.

Q: Can a VPC have more than one Internet Gateway?

A: No, a VPC can have only one Internet Gateway attached to it at any given time. Similarly, an IGW can only be attached to one VPC at a time.

Q: Do I need an Internet Gateway to access other AWS services?

A: Not necessarily. To access the public endpoints of AWS services in the same region, you can use an IGW without incurring data transfer charges. However, for private and more secure access to AWS services without traffic traversing the internet, you should use VPC Endpoints (either Gateway Endpoints for S3/DynamoDB or Interface Endpoints for most other services).

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/9/2026 / Updated: 5/11/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

API Gateway REST vs HTTP: How It Works & When to Use It

Amazon API Gateway offers REST APIs and HTTP APIs. Understand their differences, features, and pricing to choose the right one for your needs. Learn when to choose it.

AWS Global Accelerator: Improve App Performance & Availability

AWS Global Accelerator improves application availability and performance for users worldwide. Get static IPs, optimize traffic routing. Learn when to use it.

CloudFront OAC: How It Works & When to Use It

CloudFront Origin Access Control (OAC) restricts S3 bucket access to CloudFront distributions. Learn how it enhances security and when to use it.

AWS Data Transfer Costs: The Hidden Bill Explained (2026 Guide)

AWS data transfer pricing decoded: internet egress, cross-AZ, cross-region, NAT Gateway, VPC peering, CloudFront, and public IPv4. Avoid surprise bills with this guide.

CloudFront Signed URLs: Secure Private Content Access

CloudFront Signed URLs provide temporary, secure access to private content via CloudFront CDN. Protect paid media, docs, or downloads. Learn how to use them.

View all Networking terms →