Internet Gateway and Egress-Only IGW
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Lesson: Internet Gateway and Egress-Only Internet Gateway
Introduction: The Gateway to the Public Web
In the architecture of cloud networking, the Virtual Private Cloud (VPC) serves as your own logically isolated section of the cloud provider's network. By default, resources launched within a VPC are completely private, meaning they cannot communicate with the outside world, nor can the outside world reach them. While this provides excellent security, it is rarely sufficient for modern applications that require software updates, external API calls, or public-facing interfaces. This is where Internet Gateways (IGWs) and Egress-Only Internet Gateways (EIGWs) become essential components of your infrastructure.
An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It serves two primary purposes: it provides a target in your VPC route tables for internet-routable traffic, and it performs network address translation (NAT) for instances that have been assigned public IPv4 addresses. Without an Internet Gateway, your VPC is essentially a "black hole" regarding external traffic; you can manage it from within, but it remains disconnected from the global internet.
Conversely, the Egress-Only Internet Gateway is a specialized component designed exclusively for IPv6 traffic. As the industry moves toward adopting IPv6, the Egress-Only gateway provides a way for instances in a private subnet to initiate outbound traffic to the internet, while preventing the internet from initiating inbound connections to those instances. Understanding the distinction between these two, and knowing when to implement them, is foundational for building secure and functional network topologies in the cloud.
Understanding the Internet Gateway (IGW)
The Internet Gateway is the most common way to connect a VPC to the internet. It is not a single appliance but a distributed software construct managed by the cloud provider. When you attach an IGW to your VPC, you are effectively opening a door for traffic to flow in and out. However, simply attaching the gateway is not enough; you must also explicitly tell your VPC how to route traffic to it.
How the IGW Functions
When an instance in your VPC attempts to send a packet to an IP address outside of the VPC, the routing table associated with the instance's subnet is checked. If you have configured a route where the destination 0.0.0.0/0 points to the Internet Gateway, the traffic is forwarded to the IGW.
If the instance has a public IPv4 address, the IGW performs one-to-one NAT. The private IP address of your instance is mapped to the public IP address, allowing the return traffic from the internet to be routed back to the correct instance inside your private network. This process is transparent to the instance itself; the instance believes it is communicating directly with the internet, while the IGW handles the address translation behind the scenes.
Callout: IGW vs. NAT Gateway A common point of confusion is the difference between an Internet Gateway and a NAT Gateway. An Internet Gateway allows two-way communication (inbound and outbound) and is required for resources that need to be publicly accessible, like a web server. A NAT Gateway is a managed service that sits in a public subnet and allows instances in private subnets to reach the internet, but it does not allow the internet to initiate a connection back to those private instances. If you want your server to be reachable from the internet, you must use an IGW.
Implementing an Internet Gateway: Step-by-Step
To set up an Internet Gateway, you need to follow a logical progression of creation, attachment, and routing.
- Creation: Create the Internet Gateway resource in your preferred region. At this stage, it exists as a standalone object that is not yet connected to any network.
- Attachment: Attach the created Internet Gateway to your specific VPC. A single VPC can have only one Internet Gateway attached at a time.
- Route Table Configuration: Navigate to the route table associated with the subnets that need internet access. Add a route for
0.0.0.0/0and set the target as the Internet Gateway you just attached. - Subnet Association: Ensure the subnets are explicitly associated with that route table.
- Security Groups and ACLs: Finally, verify that your Security Groups and Network Access Control Lists (NACLs) allow the necessary traffic on the specific ports (e.g., port 80 or 443 for web traffic).
Code Example: Creating an IGW (Terraform)
Using Infrastructure as Code (IaC) is the industry standard for managing cloud resources. Below is an example of how to define an IGW using Terraform.
# Create the Internet Gateway
resource "aws_internet_gateway" "main_igw" {
vpc_id = aws_vpc.main_vpc.id
tags = {
Name = "main-internet-gateway"
}
}
# Add a route to the public route table
resource "aws_route" "internet_access" {
route_table_id = aws_route_table.public_rt.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main_igw.id
}
This configuration snippet is straightforward. We define the resource, associate it with the VPC ID, and then create a route entry that points all non-local traffic to this gateway.
The Egress-Only Internet Gateway (EIGW)
As IPv6 adoption grows, so does the need for more granular control over IPv6 traffic. In an IPv4 world, we often use NAT gateways to allow private instances to reach the internet while remaining hidden. However, NAT does not exist for IPv6. Because IPv6 addresses are globally unique and do not require translation, an IPv6-enabled instance in a public subnet would technically be reachable from the internet by default.
To solve this, the Egress-Only Internet Gateway was developed. It is designed specifically for IPv6. It allows your instances in a private subnet to send requests to the internet, but it prevents any external entity from initiating a connection to your instances.
Why Egress-Only is Necessary
In IPv4, we rely on NAT to hide our internal IP addresses. In IPv6, every device has a globally routable address. If you place an IPv6-enabled instance in a subnet with a route to an Internet Gateway, that instance is effectively "public" unless you have very strict firewall rules. The Egress-Only Internet Gateway acts as a stateful firewall for IPv6 traffic. It tracks the state of outgoing connections and allows the corresponding return traffic, but it drops any unsolicited incoming packets from the internet.
Implementation Guidelines
Implementing an Egress-Only Internet Gateway is similar to an IGW but is scoped strictly to IPv6 traffic.
- Enable IPv6 for the VPC: You must first associate an IPv6 CIDR block with your VPC.
- Create the EIGW: Create the Egress-Only Internet Gateway in the same VPC.
- Update the Route Table: Add a route for the IPv6 destination
::/0and point it to the EIGW. - Verify Subnet Configuration: Ensure that the instances in the private subnet have IPv6 addresses assigned.
Callout: When to use EIGW Use an Egress-Only Internet Gateway when your architecture requires IPv6 support for outbound communication (such as fetching updates or accessing external services) but mandates that the instances must remain unreachable from the public internet for security compliance. It is the IPv6 equivalent of a NAT Gateway.
Comparison: IGW vs. EIGW
Understanding when to choose one over the other is critical for network design. The following table provides a quick reference for these two components.
| Feature | Internet Gateway (IGW) | Egress-Only IGW (EIGW) |
|---|---|---|
| Protocol Support | IPv4 and IPv6 | IPv6 Only |
| Traffic Direction | Inbound and Outbound | Outbound Only |
| Address Translation | Yes (NAT for IPv4) | No (Not required for IPv6) |
| Primary Use Case | Public-facing apps, Web servers | Private instances needing IPv6 egress |
| Security | Requires strict SG/NACL rules | Inherently blocks inbound connections |
Best Practices for Gateway Implementation
When configuring gateways, security and maintainability should be your top priorities. A misconfigured gateway can lead to accidental data exposure or service outages.
1. Principle of Least Privilege
Always restrict the traffic flowing through your gateways. For an Internet Gateway, use Security Groups to allow only the specific ports required for your application. For example, if you are running a web server, allow traffic only on ports 80 and 443. Never leave broad ranges open (like 0.0.0.0/0 on all ports) unless absolutely necessary.
2. Use Separate Route Tables
Do not mix public and private subnets in the same route table. Your public subnets should be the only ones associated with a route table that contains an Internet Gateway. Private subnets should never have a route to an IGW. If you need to expose a service, use a Load Balancer in the public subnet that forwards traffic to instances in the private subnet, rather than giving the private instances direct internet access.
3. Monitoring and Logging
Monitor the health and traffic volume of your gateways. Most cloud providers offer metrics such as "BytesIn" and "BytesOut." Sudden spikes in egress traffic can indicate that a resource has been compromised or that an application is misbehaving. Set up alerts for unexpected traffic patterns to ensure you catch anomalies early.
4. Infrastructure as Code
Never configure your network components manually through a web console. Use IaC tools like Terraform, CloudFormation, or Pulumi. This ensures that your network topology is version-controlled, repeatable, and documented. Manual changes ("click-ops") are prone to human error and make it difficult to recover if a configuration is accidentally deleted.
5. IPv6 Planning
If you are starting a new project, consider implementing IPv6 from the beginning. It simplifies many aspects of networking by eliminating the need for complex NAT configurations. Ensure your internal teams are trained on IPv6 address management, as it differs significantly from the familiar IPv4 subnetting schemes.
Common Pitfalls and How to Avoid Them
Even experienced engineers run into issues when dealing with network gateways. Here are the most frequent mistakes and how to steer clear of them.
"My Instance Cannot Reach the Internet"
This is the most common support ticket in cloud networking. If your instance is in a public subnet but cannot reach the internet, check the following:
- The Route Table: Is there a route for
0.0.0.0/0pointing to the IGW? Is this route table actually associated with the subnet? - Public IP/Elastic IP: Does the instance have a public IP address? If it is a private instance, are you using a NAT Gateway?
- Network ACLs: Check your NACLs. NACLs are stateless, meaning you must allow both the outbound request and the inbound return traffic. If you allow outbound on port 80 but block inbound on ephemeral ports (1024-65535), your connection will fail.
- Security Groups: Ensure your Security Group allows outgoing traffic. While most SGs are permissive for outbound by default, verify that your configuration hasn't been restricted.
"I Accidentally Exposed My Database"
If you find that an internal database is reachable from the internet, you have likely misconfigured your route tables or security groups.
- The Fix: Move the database to a private subnet that has no route to an Internet Gateway. Ensure the database Security Group only allows traffic from the application server's security group, not from
0.0.0.0/0.
Over-complicating the Network
Some architectures introduce too many gateways, NATs, and transit hubs, which increases latency and cost. Keep your network design as simple as possible. If a service does not need to be public, keep it in a private subnet. If you need to access external APIs, use a NAT Gateway or EIGW. Avoid "daisy-chaining" gateways unless your specific compliance requirements demand it.
Advanced Considerations: High Availability and Scalability
Both the Internet Gateway and the Egress-Only Internet Gateway are designed by the cloud provider to be highly available and horizontally scalable. You do not need to worry about provisioning multiple gateways for redundancy; the provider handles the underlying infrastructure to ensure your gateway does not become a single point of failure.
However, you should consider the data processing costs associated with these gateways. In many cloud environments, you are billed for the amount of data that passes through gateways. If your architecture involves heavy data transfer between subnets or to the internet, be mindful of these costs. In some cases, it may be more cost-effective to use VPC Endpoints (also known as PrivateLink) to connect to cloud services, as this traffic stays within the provider's private network and often incurs lower or no data transfer fees compared to going out through an IGW.
Note: When using VPC Endpoints, traffic to supported services (like Object Storage or Managed Databases) does not pass through the Internet Gateway. This is a critical architectural pattern for reducing egress costs and increasing security by keeping traffic off the public internet entirely.
Practical Example: A Three-Tier Architecture
To visualize how these components fit together, let's look at a standard three-tier web application.
- Public Tier (Web Servers): These instances reside in a public subnet. They are associated with a route table that points to an Internet Gateway. This allows users on the internet to reach your web servers.
- Application Tier (Business Logic): These instances reside in a private subnet. They do not have public IP addresses and have no route to the Internet Gateway. They communicate with the web servers via an internal Load Balancer. If these servers need to fetch updates from the internet, they route traffic through a NAT Gateway (or an EIGW if using IPv6).
- Data Tier (Database): These instances reside in a highly restricted private subnet. They have no access to the internet. They only accept traffic from the Application Tier's security group.
This layout ensures that only the absolute minimum number of resources are exposed to the public internet, satisfying security requirements while maintaining the necessary connectivity for the application to function.
Frequently Asked Questions (FAQ)
Can I have multiple Internet Gateways in one VPC?
No, a VPC can have only one Internet Gateway attached at a time. If you need more capacity, you do not need more gateways; the existing gateway scales automatically to meet demand.
Do I need an Egress-Only Internet Gateway if I already have a NAT Gateway?
If your VPC is strictly IPv4, you do not need an EIGW. If you are using IPv6, the NAT Gateway does not support it, so you must use an EIGW to provide internet access to private IPv6 instances.
Can an Egress-Only Internet Gateway be used for inbound traffic?
No, it is strictly for egress. It is architecturally incapable of accepting inbound connections from the internet, which is its primary security feature.
Does the IGW cost money?
In most cloud providers, there is no hourly charge for the Internet Gateway itself, but you are charged for the data transfer (egress) that passes through it. Always check your cloud provider's pricing page for the most current information.
What happens if I delete my Internet Gateway?
If you delete your Internet Gateway, all traffic destined for the internet from your VPC will be dropped immediately. This will cause any application relying on internet connectivity to fail. Always ensure you have a maintenance window before performing network infrastructure changes.
Key Takeaways
- Gateways are Essential: Internet Gateways are the primary bridge between your isolated VPC and the public internet, enabling both ingress and egress traffic.
- Distinguish by Protocol: Use the Internet Gateway for IPv4 traffic and the Egress-Only Internet Gateway for IPv6 traffic. Remember that NAT is not applicable to IPv6.
- Security First: Always follow the principle of least privilege. Use route tables to isolate subnets and Security Groups to restrict traffic to only the necessary ports and protocols.
- Leverage IaC: Manage your network configuration using code. This prevents manual configuration errors and provides a clear audit trail of your network topology.
- Use Private Endpoints: Whenever possible, use VPC Endpoints instead of gateways for connecting to cloud-native services. This keeps traffic on the private network, improves performance, and often reduces costs.
- Understand Routing: The gateway is only as good as the route table. If the route isn't explicitly defined in your subnet's route table, the gateway will not be used, regardless of whether it is attached to the VPC.
- Monitor and Alert: Keep a close eye on your gateway traffic. Unexpected spikes or patterns are often the first sign of a security incident or an architectural performance issue.
By mastering these components, you move from simply "launching instances" to "architecting networks." These gateways are the foundation upon which secure, scalable, and reliable cloud applications are built. Always test your network configurations in a development environment before deploying to production, and ensure your team understands the flow of traffic through these gateways to facilitate easier troubleshooting and maintenance.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons