Why do we need a NAT instance?

Question

AWS beginner here. This question is about NAT instances.

As per the docs "You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet."

But can this not be achieved by using a security group with outbound rule : "0.0.0.0/0: All traffic" and restricting the inbound rule to receive only from within the VPC?

What am I missing here?

I can allow a co-worker to spin up the machines only in the private subnet and then I don't have to worry if they got the SG right. — Jakub Kania, Sep 12 '18 at 11:59
I recommend asking this question on https://security.stackexchange.com/ . — kenlukas, Sep 12 '18 at 12:17
See also [Why do we need private subnets in VPC?](https://stackoverflow.com/a/22212017/1695906) — Michael - sqlbot, Sep 12 '18 at 17:33

score 6 · Accepted Answer · answered Sep 12 '18 at 12:04

6

But can this not be achieved by using a security group with outbound rule : "0.0.0.0/0: All traffic" and restricting the inbound rule to receive only from within the VPC?

The above is true only if the instances also have a public IP address assigned to them. If they do not have a public IP assigned to them then the NAT gateway/instance is required for Internet access.

answered Sep 12 '18 at 12:04

Mark B

139,343
19
240
237

1

Thanks for the answer. If I do assign public IPs and restrict inbound traffic using a security group, am I in effect achieving the same thing as a NAT? I do understand that this may not be the right design, but just want to know if that is correct. – Aravind Sep 12 '18 at 12:10
1

You are achieving the goal to restrict traffic to outbound only. A NAT instance can provide additional things, for example logging of all outbound traffic, so the two methods aren't exactly "the same thing". Also, if you are using AWS Lambda functions that need to be in your VPC, then you can't assign public IPs to those, so a NAT is the only option to provide VPC Lambda functions with Internet access. – Mark B Sep 12 '18 at 12:26
@Aravind For devices inside a VPC to connect to devices outside the VPC, it needs one of the following: IGW (Internet Gateway), NAT Gateway, VGW, VPC EndPoint. Each type of device / connectivity option has its own features and benefits. Security Groups complement these connectivity options but do not replace them. – John Hanley Sep 12 '18 at 15:59

Why do we need a NAT instance?

1 Answers1