In AWS there are a number of gateways within a VPC.
The following types exist:
AWS VPC Gateway Types
Gateway Type |
Purpose |
Internet Gateway (IGW) |
Enables public internet access for VPC resources (in
public subnets). |
NAT Gateway (NGW) |
Allows private subnet instances to access the internet outbound
only. |
Virtual Private Gateway (VGW) |
Enables VPN connectivity to on-premises networks. |
Transit Gateway (TGW) |
Connects multiple VPCs and on-premises networks at scale. |
Egress-only Internet Gateway |
IPv6-specific gateway for outbound-only internet access
from private subnets. |
PrivateLink / Interface Endpoints |
Secure, private access to AWS services over AWS network. |
Gateway Endpoints (S3/DynamoDB) |
Private access to AWS services without an IGW or NAT. |
So let's dive in a little deeper.
Detailed Overview of
Each Gateway
1. Internet Gateway (IGW)
- Publicly
routable gateway for outbound and inbound traffic.
- Required
for instances with Elastic IPs in public subnets.
Example Route Table:
Destination: 0.0.0.0/0
Target: Internet Gateway (igw-abc123)
Use Case: Web servers that need to be publicly
accessible.
This is the most common of the interfaces. You want (a part of) your servers or services to be able to get to the outside world and/or let these services be accessed from outside.
2. NAT Gateway
- Provides
outbound internet access for instances in private subnets.
- Managed
service (replaces NAT instance).
- One
per AZ for HA.
Example Route Table (Private Subnet):
Destination: 0.0.0.0/0
Target: NAT Gateway (nat-xyz789)
Use Case: EC2 instances pulling OS updates without
being exposed to the internet.
A private subnet needs to access the outside world, but shall not be accessed from there. Imagine you have a special service that supplies some data to an external application, directly from your back-end.
3. Virtual Private Gateway (VGW)
- Used
for VPN or AWS Direct Connect connections to on-prem
networks.
- Attached
to the VPC; paired with a Customer Gateway (CGW) on-prem.
Use Case: Hybrid cloud architectures needing secure
VPN tunnels.
The Virtual Private Gateway is the workhorse of the hybrid architecture. Parts of your applications are still on-prom, while some are already in the cloud, either with lift&shift, or completely new build.
4. Transit Gateway (TGW)
- Central
hub for connecting multiple VPCs, on-premises, and VPNs.
- Reduces
complex peering meshes.
Use Case: Enterprises with 5+ VPCs or regional/global
architectures. Mind the costs, as this is billed per connection.
5. Egress-Only Internet Gateway
- IPv6-specific
gateway for outbound-only internet traffic from private subnets.
- No
inbound traffic allowed.
Use Case: IPv6-only environments needing outbound
access without public exposure.
6. Gateway Endpoints (S3 / DynamoDB)
- Enable
private, VPC-level access to specific AWS services without internet
access or NAT.
- Only
available for S3 and DynamoDB.
Route Table Entry Example:
Destination: pl-68a54001 (com.amazonaws.region.s3)
Target: Gateway Endpoint (vpce-123456)
Use Case: Accessing S3 buckets from a private subnet
with no internet gateway or NAT.
7. Interface Endpoints (AWS PrivateLink)
- Use
AWS PrivateLink to privately access services via ENIs.
- Works
for AWS services, third-party SaaS, and your own services.
Use Case: Secure access to services like Secrets
Manager, without crossing the internet.
📌 Summary Comparison
Gateway |
Direction |
Internet
Required |
Services
Accessed |
Subnet
Type |
Internet Gateway |
In/Out |
Yes |
Any |
Public |
NAT Gateway |
Out only |
Yes |
Any (via
outbound only) |
Private |
Virtual Private Gateway |
In/Out |
No (VPN/IPSec) |
On-prem |
Any |
Transit Gateway |
In/Out |
No (AWS
Internal) |
VPCs, VPNs,
DX |
Any |
Egress-only IGW |
Out only (IPv6) |
Yes |
Any |
Private (IPv6) |
Gateway Endpoint |
Out only |
No |
S3, DynamoDB |
Any |
Interface Endpoint |
In/Out |
No |
AWS/private services |
Any |
Comments