What is an Internet Gateway in AWS? |Video upload date:  · Duration: PT1M0S  · Language: EN

Clear explanation of what an Internet Gateway does in an AWS VPC and how route tables subnets and NAT interact for internet access

What an Internet Gateway actually does

If your VPC were a gated community the Internet Gateway would be the main exit gate that the HOA forgot to lock. It attaches to a VPC and becomes the route target for traffic leaving public subnets. That means when your instance wants to talk to the wider internet the route table sends it this way and the gateway forwards traffic out and back. It is stateful so replies to connections you start are allowed back in automatically.

How to make a subnet public without losing your mind

Three things must line up for direct internet access to work. First your subnet needs a route for 0.0.0.0/0 that targets the Internet Gateway. Second the instance must have a public IP or an Elastic IP. Third your security groups and network ACLs must allow the traffic you want. If any of these are missing you will not be famous on the internet.

Sample route table entry for a public subnet
Destination 0.0.0.0/0    Target igw-12345678

Quick facts that save troubleshooting time

  • The Internet Gateway does not NAT private IPs. If your instance only has a private IP it cannot be reached directly.
  • For private subnets use a NAT Gateway or a NAT instance in a public subnet when you need outbound internet access.
  • Internet Gateways have no hourly charge but normal AWS data transfer fees still apply.

Public subnet versus private subnet in plain speak

Public subnet means the route table sends 0.0.0.0/0 at the Internet Gateway and instances have public IPs. Private subnet means no direct route to the Internet Gateway so instances are invisible to inbound internet traffic. If you only need outbound access use a NAT Gateway instead of giving every instance a public IP. This keeps your attack surface smaller and your blood pressure lower.

Common pitfalls that cause hair loss

  • Forgetting to assign a public IP to the instance and then wondering why nothing can reach it from the internet.
  • Pointing the route to a NAT Gateway when you expected direct inbound access. The NAT will do outbound only and hide private IPs.
  • Overly permissive security groups that feel convenient now but will haunt you later.

Debugging tips that actually help

Enable VPC Flow Logs to see where packets get dropped. The logs show source and destination pairs along with accept or reject decisions. Treat them like breadcrumbs left by your traffic rather than a bedtime story.

Checklist for internet connectivity

  • Internet Gateway attached to the correct VPC
  • Route table entry for 0.0.0.0/0 pointing to the IGW for public subnets
  • Public IP or Elastic IP on instances that need inbound access
  • Security groups and NACLs configured to allow desired ports
  • Use NAT Gateway for private subnet outbound traffic when possible
  • Monitor VPC Flow Logs when things go sideways

Final word of wisdom

Mark subnets as public only when you really need direct internet access. For services that only need to reach out use a NAT Gateway in a public subnet rather than exposing instances. Keep security groups tight and treat VPC Flow Logs as your forensic backup when the network decides to be dramatic.

I know how you can get Azure Certified, Google Cloud Certified and AWS Certified. It's a cool certification exam simulator site called certificationexams.pro. Check it out, and tell them Cameron sent ya!