I want to allow instances in a private subnet of my Amazon Virtual Private Cloud (Amazon VPC) to connect to the internet or other AWS services. How can I create and configure a network address translation (NAT) instance for this purpose? 

Important: For common use cases, it's a best practice to use a NAT gateway instead of a NAT instance. Be sure to review the Comparison of NAT Instances and NAT Gateways to determine the best option for your use case.

You can configure a NAT instance to allow traffic to the internet or other AWS services from instances within your private VPC subnet.

AWS customers are responsible for maintenance of their NAT instances, including security updates, security groups, and instance failures. Be sure to review the AWS Shared Responsibility Model.

Before you begin, be sure that your use case requires a NAT instance. If a NAT gateway is more appropriate for your use case, see Migrating from a NAT Instance or Creating a NAT Gateway.

  1. Set up your NAT Instance. Be sure to create the NATSG security group. Also be sure to disable source/destination checks.
  2. Update your VPC's route table to point traffic to your NAT instance.
  3. Test your NAT instance to confirm it's properly configured.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-05-06

Updated: 2019-02-08