Instead of NAT Instances,we can use NAT Gateways.We have lot of advantages with NAT gateways compare to NAT instances.Make sure you terminate the NAT Instance before performing the NAT Gateways,we don’t required two resources to provide internet to Private subnet.

Here is some advantages listed:

 Preferred for the enterprise/Production level

 Scale automatically up to 10 Gbps

 Not associated with security groups

 Automatically assigned a public ip address(EIP)

 You have to update route tables to take effect

 No OS so No need to patch

 No Instance so No need to disable Source/Destination Checks

 No Instance so No need to disable Source/Destination Checks


Steps to create NAT gateways:


 Select NAT Gateways option from VPC Navigation Pane.And click on“Create NAT Gateway”option.

 As same as NAT instance,we have to create the NAT Gateway also in Public Subnet of Custom VPC.

 If you have any Elastic IP without associating to any of the resource,we can use the same here, if you don’t have select the Create New EIP option and click on Create a NAT Gateway.


For AWS Support  9160565554

Send Enquiries : 

 And we have to edit the Route table as same as NAT instance process.Select the Custom VPCs Main Route table and open the Destination and target as NAT Gateway.


Here is the NAT Gateway information after creation.


Now go to private subnet instance and verify the internet connectivity.You will able to browse the internet and try to look for the public Ip information from the private subnet instance you’ll get the NAT gateway’s IP Address,That means we are getting internet through NAT Gateway to the Private subnet instance


Network Access Control Lists (ACLs)


A network access control list (ACL) is another layer of security that acts as a stateless firewall on a subnet level.A network ACL is a numbered list of rules that AWS evaluates in order,starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.

Every subnet must be associated with a network ACL

Security Groups Vs Network ACLs

Navigate to the“Network ACLs”under“Security”option and choose“Create Network ACL”


Give a name for the newly creating Network ACL and Create this under Custom VPC.


 Newly Created NACL will not have any Subnets Associated with it.


 By Default,all the Inbound and outbound traffic will be set to Deny mode

The following are the parts of a network ACL rule:

Rule numberRules are evaluated starting with the lowest numbered rule.As soon as a rule matches traffic,it’s applied regardless of any higher-numbered rule that may contradict it.

Protocol:You can specify any protocol that has a standard protocol number.For more information,see Protocol Numbers.If you specify ICMP as the protocol,you can specify any or all of the ICMP types and codes.

[Inbound rules only]The source of the traffic(CIDR range)and the destination(listening) port or port range.

[Outbound rules only]The destination for the traffic(CIDR range)and the destination port or port range.

Choice of ALLOW or DENY for the specified traffic.

 And AWS will suggest to create the rules increments of 100

 If you want to use this Network ACL with Elastic Load balancers,open the Ephemeral ports in inbound and outbound.

Ephemerals port range varies depending on the client’s operating system.Many Linux kernels use ports 32768-61000.

Elastic Load Balancing use ports 1024-65535

Windows Server 2008 and later versions use ports 49152-65535

A NAT Gateway use ports 1024-65535


 Perform the same for Outbound Rules also,as the Network ACLs are Stateless


We have Deny optional so here with Network ACLs. We can create another rule for same protocol and we can set it to Allow/Deny based on our requirement.Lowest Rule will takes the Highest Priority.

More Information :

Reference :