My EC2 instance in a private subnet can't connect to the Internet using a NAT gateway

Last updated: 2016-10-07

I created a NAT gateway to reach the Internet from my Amazon Elastic Compute Cloud (Amazon EC2) instance in a private subnet, but my instance is not able to reach the Internet. How do I fix this?


To troubleshoot instances that can’t connect to the Internet from a private subnet using a NAT gateway, check the following:

  • Verify that the destination is reachable by pinging the destination from another source using a public IP address.
  • Verify that the NAT gateway is in the Available state. If the NAT gateway is in the Failed state, follow the troubleshooting steps at NAT gateway goes to a status of failed.
    Note: A NAT gateway in the Failed state is automatically deleted after about an hour.
  • Make sure that you've created your NAT gateway in a public subnet, and that that the public route table has a default route pointing to an Internet gateway.
  • Make sure that the private subnet’s route table has a default route pointing to the NAT gateway.
    Note: Ensure that you’re not using the same route table for both the private and the public subnet; this will not route traffic to the Internet.
  • Check that you have allowed the required protocols and ports for outbound traffic to the Internet.
  • Make sure you've allowed access to the Internet on the security group and network ACLs associated with your VPC, and that you don’t have any rules that block traffic. For example, if you’re connecting to a server, consider allowing traffic on HTTP port 80 and HTTPS port 443, using the destination IP address For more information, see Amazon EC2 security groups for Linux instances or Amazon EC2 security groups for Windows instances. For more information on configuring network ACLs, see Working with network ACLs.

For more information on routing traffic in a VPC, see VPCs and subnets.

Did this article help you?

Anything we could improve?

Need more help?