[AWS] NAT Gateway How-To & Setup Guide — Private Subnet Internet & Cost Optimization

2026.02.14 ·#AWS #NAT Gateway #VPC #networking #cost-optimization

1. Why You Need a NAT Gateway

Difference in Private Subnet internet communication with and without a NAT Gateway Figure 1. Comparing Private Subnet communication structure with and without a NAT Gateway

Instances in a VPC's Private Subnet don't have a public IP, for security. But they still need internet for security-patch updates (apt, yum, dnf) and external API calls. The NAT Gateway is what acts as a gateway that allows outbound communication only, while keeping security intact.

Figure 1, left — without a NAT Gateway, Private Subnet EC2s are cut off from the outside and can't even update.
Figure 1, right — with a NAT Gateway, internal servers can do outbound internet while staying secure. A live EC2 needs this structure to pull external libraries via apt, etc.

2. Steps to Create and Configure a NAT Gateway

Let's see how a NAT Gateway works through an actual build.

2.1 Infrastructure prerequisites

For testing, I pre-built a Public Subnet (where the Bastion EC2 lives) and a Private Subnet (where the test EC2 lives), as in Figure 1.

2.2 Configuring the NAT Gateway

Step 1. Pre-check — verify internet connectivity

apt update failing on the Private Subnet EC2 before NAT Gateway setup Figure 2. Before NAT setup — EC2 internet connection error

Without a NAT Gateway, connecting to the Private Subnet EC2 and running sudo apt update is blocked because it can't reach the outside, as in Figure 2. Now we start building toward the architecture in Figure 1 (right).

Note: Before setup, it's good to pre-create an Elastic IP (EIP). There is an auto-assign option, but in practice I recommend manual assignment for management consistency.

Step 2. Create the NAT Gateway

Location of the NAT Gateway menu in the AWS VPC dashboard Figure 3. The NAT Gateway menu in the AWS VPC console

The 'Create NAT gateway' button (top-right of the console) Figure 4. The Create NAT gateway button (top-right)

In the AWS console, go to VPC → NAT gateways, then click the [Create NAT gateway] button at the top-right.

Step 3. Creation options and attaching the Elastic IP (EIP)

NAT Gateway detail settings window including VPC/subnet selection Figure 5. NAT Gateway creation options

Allocating/matching the outbound Elastic IP (EIP) for the NAT Gateway Figure 6. Attaching the Elastic IP (EIP)

On the creation screen, choose these options (Figures 5–6).

Select VPC — specify the target VPC for the NAT Gateway.
Connectivity type — choose 'Public.'
Elastic IP allocation — attach the EIP you created manually, as in Figure 6. A fixed public IP gives reliability for external communication.

Status and attached IP info of the created nat-xxxx gateway Figure 7. NAT Gateway details after creation

Once created, you'll see a nat-xxxx-style ID along with the attached IP address, as in Figure 7.

Step 4. Update the route table

Adding a 0.0.0.0/0 route that sends Private Subnet traffic to the NAT Gateway Figure 8. Private Subnet route table — connecting the NAT Gateway

The private route table after the NAT Gateway target is set Figure 9. Route table update result

Now that the NAT Gateway exists, route the Private Subnet's traffic through it.

Go to the VPC's Private Subnet route table.
In route editing, set the target of 0.0.0.0/0 (all internet traffic) to the NAT Gateway you just created (nat-xxxx) and save (Figure 8).
After saving, confirm the route is active as in Figure 9.

Step 5. Final check — Private Subnet internet connectivity

sudo apt update succeeding on the Private Subnet EC2 after the NAT Gateway is connected Figure 10. After connecting the NAT Gateway — apt update succeeds

Back on the Private Subnet EC2, run sudo apt update. As in Figure 10, it now reaches the external repositories and updates successfully.

3. NAT Gateway Cost Analysis (Seoul Region)

A NAT Gateway is a managed service offering high reliability, but it incurs fixed cost, so consider it at design time.

Item	Rate unit	Estimated monthly cost (excl. data transfer)
Hourly fixed rate	$0.045 / hour \| ~$32.4 (about ₩45,000)
Data processing rate	$0.045 / GB	Added separately by actual usage

A NAT Gateway is billed a fixed ~₩60/hour (~₩45,000/month) even if you only create it and don't use it. For testing, make a habit of deleting it right after use.

For the detailed AWS pricing scheme, see the separate cost-saving post.

[AWS] Cutting Infrastructure Costs by 55% — Graviton (ARM) Migration & Fixed-Cost Optimization

~20% from EC2 architecture (x86 → ARM/Graviton) alone, and up to 55% (about ₩2M/month) off by replacing ALB, NAT, and RDS with Nginx, a NAT instance, and an EC2 DB — real quotes and strategy.

taystudios.com/blog

4. Enterprise-Grade Cost Optimization Strategies

Beyond just usage, three architecture-level points for reducing cost.

Use VPC Endpoints — routing communication with internal AWS services like S3/DynamoDB through a NAT Gateway incurs excessive data-processing cost. Using a VPC Endpoint can make the data-processing fee $0.
Optimize AZ design — cross-AZ data transfer incurs extra cost (Data Transfer Out). It's better to place high-traffic servers and the NAT Gateway in the same AZ.
Replace with a NAT instance — for small/personal projects with little traffic, building a NAT instance on a t3.nano-class instance can cut fixed cost by 90%+.

5. Summary: NAT Gateway vs NAT Instance

Comparison	NAT Gateway	NAT Instance
Managed by	AWS (managed service)	You
Availability	Very high (auto-scaling)	Depends on your design
Cost	High (~₩45,000/month+)	Low (depends on EC2 spec)
Recommended for	Large services / enterprise	Small startups / testing

If you want to save cost, the most efficient approach is to repurpose your existing Bastion server as a NAT instance. The detailed build is in the posts below.