Dashboard

Learn faster. Build smarter.

Log inSign up
Back to Comparisons
Networking

NAT Gateway vs Internet Gateway

Compare outbound internet access for private resources with direct internet routing for public subnet resources.

Networking

NAT Gateway

A NAT Gateway allows resources in private subnets to initiate outbound internet access without being directly reachable from the internet. It is commonly used for package updates, external API access, and outbound connectivity from private workloads.

Networking

Internet Gateway

An Internet Gateway is the AWS component that enables direct internet routing for resources in public subnets. It provides the path between a VPC and the public internet.

Key Differences

An Internet Gateway enables direct internet routing for public subnet resources, while a NAT Gateway enables outbound internet access for private subnet resources.

Internet Gateway is for direct public connectivity, while NAT Gateway is for private egress without direct inbound exposure.

A NAT Gateway does not make private resources publicly reachable, while an Internet Gateway is part of public internet routing design.

Internet Gateway is fundamental for public subnet architecture, while NAT Gateway is used when private workloads still need outbound internet access.

The distinction is direct public routing versus controlled outbound access from private networks.

They are often used together in the same VPC design because public and private subnet patterns commonly coexist.

When to Use

When to use NAT Gateway

Use NAT Gateway when private subnet instances need outbound internet access for updates, package downloads, or calling external APIs without becoming directly internet-accessible.

When to use Internet Gateway

Use Internet Gateway when public subnet resources need direct internet routing and are intended to be internet-facing.

Tradeoffs

Internet Gateway enables simple public routing, but increases exposure if used for workloads that should remain internal.

NAT Gateway improves isolation for private workloads, but adds architecture cost and another networking component.

Using both correctly supports secure layered VPC design.

Common Mistakes

Thinking NAT Gateway makes private resources publicly reachable.

Putting private workloads behind an Internet Gateway when only outbound access is needed.

Confusing direct public routing with private egress routing.

Interview Tip

A strong short answer is: Internet Gateway gives public routing, NAT Gateway gives private subnets outbound internet access.