Understanding Internet Gateways in AWS VPC

Blog ENG - AWS - Post 9

An internet gateway is a crucial component in Amazon Web Services (AWS) Virtual Private Cloud (VPC) architecture. It is a horizontally scaled, redundant, and highly available VPC component that facilitates communication between your VPC and the internet. Supporting both IPv4 and IPv6 traffic, an internet gateway ensures there are no availability risks or bandwidth constraints on your network traffic.

Key Features of an Internet Gateway
An internet gateway enables resources in your public subnets, such as EC2 instances, to connect to the internet if they have a public IPv4 address or an IPv6 address. Similarly, resources on the internet can initiate connections to resources in your subnet using these public addresses. For instance, you can connect to an EC2 instance in AWS from your local computer via an internet gateway.

Additionally, an internet gateway provides a target in your VPC route tables for internet-routable traffic. For IPv4 communication, it also performs network address translation (NAT).

Note: There is no charge for using an internet gateway, but data transfer charges apply for EC2 instances that use internet gateways.

Configuring Internet Access
To enable your instances to receive or send traffic from the internet, follow these steps:

  1. Create an Internet Gateway: Attach it to your VPC.
  2. Update Route Tables: Add a route to the route table for the subnet that directs internet-bound traffic to the internet gateway.
  3. Assign Public IP Addresses: Ensure instances in your subnet have a public IPv4 address or IPv6 address.
  4. Configure Security Groups and Network ACLs: Allow the desired internet traffic to flow to and from your instances.

If you prefer not to assign public IP addresses to your instances, use a NAT device instead. A NAT device allows instances in a private subnet to connect to the internet while preventing internet hosts from initiating connections with the instances.

Public and Private Subnets
A subnet associated with a route table that has a route to an internet gateway is known as a public subnet. Conversely, a subnet without such a route is known as a private subnet.

In your public subnet’s route table, you can specify a route for the internet gateway to all destinations not explicitly known to the route table (0.0.0.0/0 for IPv4 or ::/0 for IPv6). Alternatively, you can scope the route to a narrower range of IP addresses, such as the public IPv4 addresses of your company’s public endpoints outside of AWS or the Elastic IP addresses of other Amazon EC2 instances outside your VPC.

IP Addresses and NAT
For IPv4 communication over the internet, your instance must have a public IPv4 address. You can configure your VPC to automatically assign public IPv4 addresses to your instances or assign Elastic IP addresses manually. The internet gateway provides one-to-one NAT on behalf of your instance, translating private IP addresses to public IP addresses for outbound traffic and vice versa for inbound traffic.

For IPv6 communication, your VPC and subnet must have an associated IPv6 CIDR block, and your instance must be assigned an IPv6 address from the subnet range. IPv6 addresses are globally unique and public by default.