NAT devices for your VPC - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

NAT devices for your VPC

You can use a NAT device to allow instances in private subnets to connect to the internet, other VPCs, or on-premises networks. These instances can communicate with services outside the VPC, but they cannot receive unsolicited connection requests.

The NAT device replaces the source IPv4 address of the instances with the address of the NAT device. When sending response traffic to the instances, the NAT device translates the addresses back to the original source IPv4 addresses.

You can use a managed NAT device offered by Amazon, called a NAT gateway, or you can create your own NAT device on an EC2 instance, called a NAT instance. We recommend that you use NAT gateways because they provide better availability and bandwidth and require less effort on your part to administer.


  • NAT devices are not supported for IPv6 traffic—use an egress-only internet gateway instead. For more information, see Egress-only internet gateways.

  • We use the term NAT in this documentation to follow common IT practice, though the actual role of a NAT device is both address translation and port address translation (PAT).