Understanding Egress-Only Internet Gateways in AWS VPC

Blog ENG - AWS - Post 10

An egress-only internet gateway is a crucial component in a Virtual Private Cloud (VPC) that facilitates outbound communication over IPv6 from instances within your VPC to the internet. It ensures that while your instances can initiate communication with the internet, the internet cannot initiate a connection with your instances. This makes it a highly secure and reliable option for managing IPv6 traffic.

Key Features

Horizontally Scaled and Redundant: The egress-only internet gateway is designed to be horizontally scaled and redundant, ensuring high availability and reliability.
IPv6 Traffic Only: This gateway is specifically for IPv6 traffic. For outbound-only internet communication over IPv4, a NAT gateway should be used instead.
No Additional Charges: There is no charge for using an egress-only internet gateway itself. However, data transfer charges for EC2 instances that use internet gateways still apply.

How It Works
IPv6 addresses are globally unique and public by default. If you want your instance to access the internet while preventing unsolicited inbound communication, an egress-only internet gateway is the solution. Here’s how you can set it up:

Create an Egress-Only Internet Gateway: Set up the gateway within your VPC.
Update Route Table: Add a route to your route table that directs all IPv6 traffic (::/0) or a specific range of IPv6 addresses to the egress-only internet gateway.
Traffic Routing: IPv6 traffic in the subnet associated with the route table will be routed through the egress-only internet gateway.

Stateful Nature
The egress-only internet gateway is stateful, meaning it forwards traffic from instances in the subnet to the internet or other AWS services and then sends the response back to the instances. This ensures seamless communication while maintaining security.

Security Considerations
While you cannot associate a security group with an egress-only internet gateway to control traffic, you can use a network ACL (Access Control List) to manage the traffic to and from the subnet for which the egress-only internet gateway routes traffic. This adds an additional layer of security to your VPC.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.