What is a NAT Gateway?

Updated on July 21, 2025

Network Address Translation (NAT) Gateway is a fully managed, highly available, and scalable service that cloud providers offer to enable secure internet connectivity for resources in private subnets. Unlike traditional NAT instances that require manual configuration and maintenance, NAT Gateway provides a streamlined solution for outbound internet access while maintaining the security of your private network resources.

Understanding NAT Gateway is crucial for cloud engineers and network administrators who need to architect secure, scalable cloud environments. This managed service eliminates the complexity of maintaining NAT instances while providing enterprise-grade availability and performance for your cloud infrastructure.

Definition and Core Concepts

A NAT Gateway serves as a Network Address Translation service that sits in a public subnet and translates private IP addresses of resources in private subnets to its own public IP address. This translation allows private resources to initiate outbound connections to the internet while preventing unsolicited inbound traffic from reaching them.

The service operates as a managed component within your Virtual Private Cloud (VPC) or Virtual Network (VNet), depending on your cloud provider. Cloud providers handle all maintenance, patching, and scaling automatically, reducing administrative overhead for your IT teams.

Private Subnet

A private subnet contains no direct route to an internet gateway. Resources deployed in private subnets receive private IP addresses that cannot be accessed directly from the internet. Database servers, application servers, and other backend resources typically reside in private subnets for security purposes.

Public Subnet

A public subnet maintains a direct route to an internet gateway through its route table. Resources in public subnets can receive public IP addresses and communicate directly with the internet. Web servers, load balancers, and NAT Gateways are commonly placed in public subnets.

Outbound Traffic

Outbound traffic refers to network requests initiated from resources within your private network to external destinations on the internet. This includes software updates, API calls, and data synchronization processes that private resources need to perform.

Unsolicited Inbound Traffic

Unsolicited inbound traffic represents connection attempts initiated from external sources trying to reach internal resources. NAT Gateway blocks this traffic by design, maintaining the security boundary of your private subnets.

Managed Service

A managed service means the cloud provider handles provisioning, monitoring, maintenance, and scaling without requiring manual intervention. This reduces operational complexity and ensures consistent performance and availability.

High Availability (HA)

High Availability refers to a system’s ability to remain operational despite component failures. NAT Gateway achieves HA through redundancy within its availability zone, automatically handling failover scenarios without service interruption.

Scalability

Scalability represents the system’s ability to handle increasing traffic demands without performance degradation. NAT Gateway automatically scales bandwidth and processing capacity based on traffic patterns.

SNAT (Source Network Address Translation)

Source Network Address Translation is the specific type of NAT performed by NAT Gateway. SNAT modifies the source IP address of outbound packets, replacing private IP addresses with the NAT Gateway’s public IP address.

JumpCloud’s simplified Cloud RADIUS solution gives you all the benefits of RADIUS with none of the traditional hassle.

See How it Works

How It Works

NAT Gateway operates through a series of coordinated steps that enable secure outbound connectivity for private resources.

Placement

NAT Gateway deploys in a public subnet with a configured route to an internet gateway. This placement allows the NAT Gateway to receive public IP addresses and communicate with external internet resources directly.

Routing Configuration

The route table for private subnets contains entries that direct all internet-bound traffic (0.0.0.0/0) to the NAT Gateway. This configuration ensures that any outbound internet request from private resources flows through the NAT Gateway for translation.

Outbound Traffic Translation

When an instance in a private subnet initiates an internet request, the traffic routes to the NAT Gateway. The NAT Gateway performs Source Network Address Translation, replacing the instance’s private IP address with its own public IP address before forwarding the request to the internet destination.

The NAT Gateway maintains a translation table that tracks active connections. This table records the original private IP address, port numbers, and destination information for each outbound connection.

Inbound Traffic Handling

When the external service responds to the request, the response traffic returns to the NAT Gateway’s public IP address. The NAT Gateway consults its translation table to determine the original private IP address and forwards the response back to the requesting instance in the private subnet.

This process ensures that only responses to established outbound connections can reach private resources.

Security Boundary

NAT Gateway enforces a security boundary by maintaining stateful connections. Only traffic that corresponds to established outbound connections can traverse the NAT Gateway in the inbound direction. This mechanism prevents unsolicited inbound connections from reaching private resources.

Key Features and Components

Managed Service

Cloud providers handle all aspects of NAT Gateway maintenance, including security patching, software updates, and infrastructure management. This reduces administrative overhead and ensures consistent security standards.

High Availability and Scalability

NAT Gateway automatically scales to meet traffic demands and provides redundancy within its availability zone. The service handles bandwidth increases seamlessly without requiring manual intervention or capacity planning.

Security

NAT Gateway protects private instances by preventing direct inbound connections from the internet. The service only allows return traffic for established outbound connections, maintaining the security posture of private subnets.

Simplified Management

NAT Gateway reduces network configuration complexity compared to NAT instances. The managed service eliminates the need for manual scaling, monitoring, and maintenance tasks that traditional NAT instances require.

Cost Efficiency

NAT Gateway conserves public IP addresses by allowing multiple private instances to share a single public IP address for outbound connectivity. This approach reduces IP address consumption and associated costs.

Use Cases and Applications

NAT Gateway serves several critical functions in cloud architectures:

Software updates and patches for instances in private subnets require internet access. NAT Gateway enables these instances to download updates while maintaining their private network isolation.

Private instances often need to access external APIs and services for application functionality. NAT Gateway provides this connectivity without exposing the instances to inbound internet traffic.

Multi-tier applications benefit from NAT Gateway when web servers reside in public subnets while database servers remain in private subnets. The database servers can access external services through NAT Gateway while staying protected from direct internet access.

Cloud resources without public IP addresses use NAT Gateway to establish outbound connectivity for monitoring, logging, and integration with external services.

Key Terms Appendix

• NAT Gateway: A managed Network Address Translation service in cloud environments that enables outbound internet connectivity for private resources.
• NAT (Network Address Translation): A networking technique that remaps IP addresses by modifying network address information in packet headers.
• Private Subnet: A subnet without a direct route to the internet, containing resources with private IP addresses.
• Public Subnet: A subnet with a direct route to the internet through an internet gateway.
• Outbound Traffic: Network traffic originating from internal resources and destined for external networks.
• SNAT (Source Network Address Translation): The NAT type that modifies the source IP address of outbound packets.
• Managed Service: A cloud service that is automatically provisioned, managed, and maintained by the cloud provider.
• High Availability (HA): A system’s ability to remain operational despite component failures through redundancy and failover mechanisms.