AWSGlossary

NAT Gateway vs NAT Instance: What It Is and When to Use It

Definition

A NAT (Network Address Translation) Gateway and a NAT Instance are both AWS solutions that enable Amazon EC2 instances in a private subnet to initiate outbound traffic to the internet or other AWS services, while preventing unsolicited inbound connections from the internet. They solve the common problem of needing to securely download updates, patches, or access external APIs from backend servers that are not directly exposed to the public.

How It Works

Both solutions work by being placed in a public subnet and acting as an intermediary. Instances in a private subnet have their internet-bound traffic (typically for destination 0.0.0.0/0) directed to the NAT device via a route table rule. The NAT device then uses its own public Elastic IP address to send the traffic to the internet. When response traffic returns, the NAT device translates the address back and forwards it to the correct private instance.

  • Amazon NAT Gateway: This is a fully managed AWS service. You create a NAT Gateway in a specific Availability Zone (AZ), associate an Elastic IP with it, and update the route table for your private subnet(s) to point to it. AWS handles all the underlying infrastructure, including redundancy within that AZ, scaling, and maintenance.

  • NAT Instance: This is a standard EC2 instance that you configure to perform NAT. You launch an instance from a specialized Amazon Machine Image (AMI), place it in a public subnet, assign it an Elastic IP, and crucially, disable the Source/Destination Check attribute on the instance's network interface. You are responsible for managing the instance's size, OS patching, and creating any high-availability setup.

Key Features and Limits

Amazon NAT Gateway

  • Managed Service: AWS manages the administration, patching, and availability, making it a low-maintenance option.
  • High Availability: It is redundant by design within the Availability Zone where it is deployed. For multi-AZ resilience, the best practice is to deploy one NAT Gateway per AZ.
  • Scalability: Bandwidth automatically scales up to 100 Gbps.
  • Performance: Can process up to 10 million packets per second and supports up to 55,000 concurrent connections per associated IP address.
  • Security: You cannot attach a Security Group directly to a NAT Gateway. Security is controlled by Security Groups on the private instances and Network ACLs (NACLs) on the subnets.
  • Connectivity Types: As of late 2025, NAT Gateways can be deployed in a traditional zonal mode or a newer, simpler Regional mode that automatically covers multiple AZs.
  • IPv6 Support: NAT Gateways support NAT64 for IPv6 traffic, allowing IPv6 workloads to communicate with IPv4 resources.

NAT Instance

  • Self-Managed: You are responsible for all maintenance, including OS patching, monitoring, and failure recovery.
  • High Availability: Not inherently highly available. Achieving HA requires custom solutions like Auto Scaling Groups and health check scripts.
  • Scalability: Bandwidth is limited by the EC2 instance type you choose.
  • Security: You can attach Security Groups directly to the NAT Instance, allowing for more granular, instance-level firewall rules.
  • Flexibility: Can be used for other purposes, such as a bastion host for SSH access or for advanced networking features like port forwarding.
  • Configuration: Requires manual steps, including launching from a NAT AMI, disabling the source/destination check, and configuring route tables.

Common Use Cases

  • NAT Gateway: The recommended choice for most production workloads. It's ideal for enterprise applications, backend services needing to call external APIs, and any scenario where high availability, scalability, and minimal operational overhead are critical.

  • NAT Instance: Best suited for specific scenarios. This includes development/test environments where cost is a primary concern and availability is less critical, or when you need advanced features like port forwarding or want to combine the NAT function with a bastion host on a single instance.

Pricing Model

The cost difference is a significant factor in choosing between the two.

  • Amazon NAT Gateway: You are billed for two main components: an hourly charge for each hour the gateway is provisioned, and a per-gigabyte data processing fee for all traffic that passes through it. Standard AWS data transfer charges (e.g., for data leaving AWS to the internet) apply on top of the processing fee. Since February 2024, there is also a small hourly charge for the public IPv4 address it uses.

  • NAT Instance: The cost is based on the standard hourly rate for the EC2 instance type you select. You also pay for standard EC2 data transfer charges. There is no separate data processing fee, which can make it more cost-effective for workloads with very high data volumes but predictable bandwidth needs.

For a detailed comparison, always consult the AWS Pricing Calculator.

Pros and Cons

| Feature | Amazon NAT Gateway | NAT Instance | | :--- | :--- | :--- | | Management | Fully managed by AWS | Self-managed by the user | | High Availability | Built-in redundancy within an AZ | Requires manual setup (scripts, ASGs) | | Scalability | Automatic, up to 100 Gbps | Limited by EC2 instance type | | Maintenance | None required from the user | User is responsible for all patching and updates | | Security | No direct Security Group attachment | Can have Security Groups attached | | Flexibility | Limited; cannot be a bastion host, no port forwarding | High; can serve as a bastion host, supports port forwarding | | Cost Model | Per hour + per GB processed | Per EC2 instance hour |

Comparison with Alternatives

  • Internet Gateway (IGW): An IGW provides two-way (inbound and outbound) internet connectivity for instances in a public subnet. In contrast, NAT devices provide one-way (outbound-only) access for instances in a private subnet.

  • VPC Endpoints: For accessing AWS services like Amazon S3 and Amazon DynamoDB, VPC Gateway Endpoints are a superior alternative. They provide a private, secure connection to these services without traffic ever leaving the AWS network, are free to use, and avoid the NAT Gateway's data processing fees. For other services, Interface Endpoints (powered by AWS PrivateLink) offer similar benefits at a lower cost than routing traffic through a NAT Gateway.

Exam Relevance

This topic is fundamental for several AWS certifications, including:

  • AWS Certified Solutions Architect - Associate (SAA-C03)
  • AWS Certified SysOps Administrator - Associate (SOA-C02)
  • AWS Certified Developer - Associate (DVA-C02)
  • AWS Certified Advanced Networking - Specialty (ANS-C01)

Examinees must know the architectural differences, particularly regarding high availability, scalability, and security (Security Groups vs. NACLs). Scenario-based questions often require choosing the correct solution based on requirements for management overhead, cost, and specific features like bastion host capabilities. A common exam question involves knowing that a NAT Gateway must be placed in a public subnet to function.

Frequently Asked Questions

Q: Is a NAT Gateway or NAT Instance more expensive?

A: It depends on the traffic pattern. For low or intermittent traffic, a small NAT Instance (like a t3.nano) can be cheaper due to the NAT Gateway's constant hourly charge. For high, sustained traffic, a NAT Gateway can be more cost-effective because you don't need to provision a large, expensive EC2 instance, although the data processing fees can add up significantly.

Q: Why is my NAT Instance not working?

A: The most common configuration errors are: 1) forgetting to disable the Source/Destination Check on the EC2 instance's network interface, 2) incorrect route table entries in the private subnet (the destination should be 0.0.0.0/0 with the target as the NAT instance's ID), and 3) misconfigured Security Groups or Network ACLs blocking traffic.

Q: Can a single NAT Gateway serve multiple Availability Zones?

A: While a single zonal NAT Gateway can be used by instances in other AZs, it is an anti-pattern for high availability. If the AZ containing the NAT Gateway goes down, instances in all other AZs lose internet connectivity. The AWS best practice for resilience is to deploy a NAT Gateway in each AZ and configure routing so that resources use the local gateway. The newer Regional NAT Gateway option simplifies this multi-AZ architecture.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/10/2026 / Updated: 5/11/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

API Gateway REST vs HTTP: How It Works & When to Use It

Amazon API Gateway offers REST APIs and HTTP APIs. Understand their differences, features, and pricing to choose the right one for your needs. Learn when to choose it.

AWS Global Accelerator: Improve App Performance & Availability

AWS Global Accelerator improves application availability and performance for users worldwide. Get static IPs, optimize traffic routing. Learn when to use it.

CloudFront OAC: How It Works & When to Use It

CloudFront Origin Access Control (OAC) restricts S3 bucket access to CloudFront distributions. Learn how it enhances security and when to use it.

AWS Data Transfer Costs: The Hidden Bill Explained (2026 Guide)

AWS data transfer pricing decoded: internet egress, cross-AZ, cross-region, NAT Gateway, VPC peering, CloudFront, and public IPv4. Avoid surprise bills with this guide.

CloudFront Signed URLs: Secure Private Content Access

CloudFront Signed URLs provide temporary, secure access to private content via CloudFront CDN. Protect paid media, docs, or downloads. Learn how to use them.

View all Networking terms →