Skip to main content

Creating a NAT Gateway in AWS

Hands-On Lab


Photo of

Training Architect





In this lab, we will demonstrate how to set up a NAT Gateway to allow an EC2 instance in a private subnet to access the Internet.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.


In this lab, we will demonstrate how to set up a NAT Gateway to allow an EC2 instance on a private subnet to access the Internet (for updates, etc). The lab environment has been prepared with a private subnet and a public subnet. We will begin by creating an EC2 instance for each of those subnets.

Create Instances

We will set up a new instance on the existing private subnet to demonstrate the benefit of a NAT Gateway.

  • Navigate to the Instances section of the EC2 Dashboard.
  • Click the Launch Instance button.
  • Locate the Amazon Linux AMI and click the Select button.
  • Ensure that t2.micro is selected and click Next: Configure Instance Details.
  • For the Subnet setting, select the subnet with the name of Private.
  • Click the Review and Launch button.
  • Notice the default Security Groups settings have allowed SSH access.
  • Click the Launch button.
  • Create and download a new key pair (this guide uses the key pair name of nat-lab-keypair).

Since a private subnet does not have an Internet gateway attached, the instance we just created within it cannot interact with the outside world. This can be beneficial from a security standpoint. If there is no way to connect to it over the Internet, the chances of unauthorized access are decreased. If the instance itself can't access the Internet, however, it's easy to realize some problems. For example, the instance may need to download security updates from the Internet. .

To demonstrate this problem, we will connect to the instance we just created via SSH and attempt to rum sudo yum update. Since the instance is private, however, we will need to create a new instance on the public subnet and connect through it.

  • Launch another t2.micro instance using the Amazon Linux AMI.
  • This time, choose the Subnet named Public in the Configure Instance Details section.
  • The rest of the default configuration is fine (notice that the Security Group allows SSH by default).
  • Click the Launch button and choose to use the existing key pair that you created earlier (nat-lab-keypair).

Just as a reminder: We intend to connect to the private instance, but must do so from the public instance since it is in the same VPC.

  • Open a new terminal window.
  • Use cd to navigate to the location of your downloaded nat-lab-keypair file.
  • Use chmod 400 nat-lab-keypair to set the proper permissions on it.
  • Add the key to our ssh agent with ssh-add "nat-lab-keypair.pem".
  • Connect to the public instance via SSH. Use the -A option so we can easily connect to the private instance in a moment: ssh -A ec2-user@<HOSTNAME-OF-PUBLIC-INSTANCE> (you can find the public instance hostname by right clicking the public instance in the Instances section of the EC2 dashboard, then clicking "Connect").

Once logged into the public instance, we will use the local IP of the private instance and connect with SSH.


Now we are logged into the private instance. Run the following command:

sudo yum update

The command will time out since the instance cannot access the internet. We can solve this problem with a NAT Gateway.

NAT Gateway

Leave the terminal window open and connected to the private instance. Head back to your browser.

  • Navigate to the VPC Dashboard in AWS.
  • Click the NAT Gateways link in to the left of the page.
  • Create a new NAT Gateway.
  • We want to assign this new NAT Gateway to the Public subnet so it can access the Internet. Click the text field for the Subnet setting. Select the subnet titled Public.
  • Use the Create New EIP button to create and select a new Elastic IP.
  • Click the Edit Route Tables button.
  • Select the route table associated to our Private subnet. Note: The private subnet was not explicitly assigned to the route table containing an Internet Gateway; therefore, it was implicitly associated to the Main route table. The Main route table in the list.
  • Click on the Routes tab in the settings pane at the bottom of the page.
  • Click the Edit.
  • Add another route with a Destination of (signifying any/all IP addresses).
  • Choose the NAT we just created as the Target (identified by the nat prefix).
  • Click the Save button.

Wait a few moments while the NAT Gateway starts up. You can check its Status by navigating back to the NAT Gateways section of the VPC Dashboard. Use the refresh button occasionally. Once the status goes from Pending to Available, navigate back to the terminal window that's currently connect to the Private instance.

Recall that the instance had no access to the internet earlier. The sudo yum update command timed out. Since we have now added a NAT Gateway and configured it properly, re-running the command will work as expected.

sudo yum update

You should see the expected output and be able access anything else that requires the Internet. Remember that the Public instance we used to connect to the Private one is not necessary here. It was only used to let us connect to the private instance to demonstrate the function of the NAT Gateway. The Private instance is now able to pull in updates, download files, etc, but cannot be accessed directly from the Internet.