What is the AWS NAT Gateway?

I'm not sure what caused it, maybe Elastic Beanstalk, but at some point AWS created me a "NAT Gateway" which costs more than my EC2 server instances themselves.

What does it do, why does it cost so much, and why do I need it for things like EC2?

It seems like I can I do without it, just delete it, and things still work while saving a ton?


AWS say

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. For more information about NAT, see NAT.

In short, it's an internet proxy that lets you initiate outgoing connections, but prevents anyone initiating connections to you. It's for security.

AWS don't tend to create resources without you asking for them. The VPC Wizard will sometimes create one of these when you create your VPC.


In short - NAT Gateway provides public internet access to EC2 instances without public IP address.

Whether or not you can remove the NAT Gateway depends on your VPC and EC2 configuration.

  • If your EC2 instance is in a subnet with IGW (Internet Gateway) and has public or elastic IP attached then you don't need NAT gateway.

  • If your EC2 instance is in a subnet without IGW you do need NAT gateway.

If you want to remove the NAT gateway make sure your EC2 instance has a public IP attached to it an it's in a subnet with IGW.

Also note that adding a public IP to your instance puts it directly on the public internet - double check the instance Security Group (i.e. firewall) to ensure it's locked down as much as possible.