Menu
Amazon Virtual Private Cloud
User Guide

Internet Gateways

An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.

An Internet gateway serves two purposes: to provide a target in your VPC route tables for Internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

An Internet gateway supports IPv4 and IPv6 traffic.

Enabling Internet Access

To enable access to or from the Internet for instances in a VPC subnet, you must do the following:

  • Attach an Internet gateway to your VPC.

  • Ensure that your subnet's route table points to the Internet gateway.

  • Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).

  • Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.

To use an Internet gateway, your subnet's route table must contain a route that directs Internet-bound traffic to the Internet gateway. You can scope the route to all destinations not explicitly known to the route table (0.0.0.0/0 for IPv4 or ::/0 for IPv6), or you can scope the route to a narrower range of IP addresses; for example, the public IPv4 addresses of your company’s public endpoints outside of AWS, or the Elastic IP addresses of other Amazon EC2 instances outside your VPC. If your subnet is associated with a route table that has a route to an Internet gateway, it's known as a public subnet.

To enable communication over the Internet for IPv4, your instance must have a public IPv4 address or an Elastic IP address that's associated with a private IPv4 address on your instance. Your instance is only aware of the private (internal) IP address space defined within the VPC and subnet. The Internet gateway logically provides the one-to-one NAT on behalf of your instance, so that when traffic leaves your VPC subnet and goes to the Internet, the reply address field is set to the public IPv4 address or Elastic IP address of your instance, and not its private IP address. Conversely, traffic that's destined for the public IPv4 address or Elastic IP address of your instance has its destination address translated into the instance's private IPv4 address before the traffic is delivered to the VPC.

To enable communication over the Internet for IPv6, your VPC and subnet must have an associated IPv6 CIDR block, and your instance must be assigned an IPv6 address from the range of the subnet. IPv6 addresses are globally unique, and therefore public by default.

In the following diagram, Subnet 1 in the VPC is associated with a custom route table that points all Internet-bound IPv4 traffic to an Internet gateway. The instance has an Elastic IP address, which enables communication with the Internet.

Using an Internet gateway

Internet Access for Default and Nondefault VPCs

The following table provides an overview of whether your VPC automatically comes with the components required for Internet access over IPv4 or IPv6.

 Default VPCNondefault VPC
Internet gatewayYesYes, if you created the VPC using the first or second option in the VPC wizard. Otherwise, you must manually create and attach the Internet gateway.
Route table with route to Internet gateway for IPv4 traffic (0.0.0.0/0)YesYes, if you created the VPC using the first or second option in the VPC wizard. Otherwise, you must manually create the route table and add the route.
Route table with route to Internet gateway for IPv6 traffic (::/0)NoYes, if you created the VPC using the first or second option in the VPC wizard, and if you specified the option to associate an IPv6 CIDR block with the VPC. Otherwise, you must manually create the route table and add the route.
Public IPv4 address automatically assigned to instance launched into subnetYes (default subnet)No (nondefault subnet)
IPv6 address automatically assigned to instance launched into subnetNo (default subnet)No (nondefault subnet)

For more information about default VPCs, see Default VPC and Default Subnets. For more information about using the VPC wizard to create a VPC with an Internet gateway, see Scenario 1: VPC with a Single Public Subnet or Scenario 2: VPC with Public and Private Subnets (NAT).

For more information about IP addressing in your VPC, and controlling how instances are assigned public IPv4 or IPv6 addresses, see IP Addressing in Your VPC.

When you add a new subnet to your VPC, you must set up the routing and security that you want for the subnet.

Creating a VPC with an Internet Gateway

The following sections describe how to manually create a public subnet to support Internet access.

Creating a Subnet

To add a subnet to your VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets, and then choose Create Subnet.

  3. In the Create Subnet dialog box, select the VPC, select the Availability Zone, and specify the IPv4 CIDR block for the subnet.

  4. (Optional, IPv6 only) For IPv6 CIDR block, choose Specify a custom IPv6 CIDR.

  5. Choose Yes, Create.

For more information about subnets, see VPCs and Subnets.

Attaching an Internet Gateway

To create an Internet gateway and attach it to your VPC

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Internet Gateways, and then choose Create Internet Gateway.

  3. In the Create Internet Gateway dialog box, you can optionally name your Internet gateway, and then choose Yes, Create.

  4. Select the Internet gateway that you just created, and then choose Attach to VPC.

  5. In the Attach to VPC dialog box, select your VPC from the list, and then choose Yes, Attach.

Creating a Custom Route Table

When you create a subnet, we automatically associate it with the main route table for the VPC. By default, the main route table doesn't contain a route to an Internet gateway. The following procedure creates a custom route table with a route that sends traffic destined outside the VPC to the Internet gateway, and then associates it with your subnet.

To create a custom route table

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Route Tables, and then choose Create Route Table.

  3. In the Create Route Table dialog box, optionally name your route table, then select your VPC, and then choose Yes, Create.

  4. Select the custom route table that you just created. The details pane displays tabs for working with its routes, associations, and route propagation.

  5. On the Routes tab, choose Edit, Add another route, and add the following routes as necessary. Choose Save when you're done.

    • For IPv4 traffic specify 0.0.0.0/0 in the Destination box, and select the Internet gateway ID in the Target list.

    • For IPv6 traffic, specify ::/0 in the Destination box, and select the Internet gateway ID in the Target list.

  6. On the Subnet Associations tab, choose Edit, select the Associate check box for the subnet, and then choose Save.

For more information about route tables, see Route Tables.

Updating the Security Group Rules

Your VPC comes with a default security group. Each instance that you launch into a VPC is automatically associated with its default security group. The default settings for a default security group allow no inbound traffic from the Internet and allow all outbound traffic to the Internet. Therefore, to enable your instances to communicate with the Internet, create a new security group that allows public instances to access the Internet.

To create a new security group and associate it with your instances

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups, and then choose Create Security Group.

  3. In the Create Security Group dialog box, specify a name for the security group and a description. Select the ID of your VPC from the VPC list, and then choose Yes, Create.

  4. Select the security group. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.

  5. On the Inbound Rules tab, choose Edit. Choose Add Rule, and complete the required information. For example, select HTTP or HTTPS from the Type list, and enter the Source as 0.0.0.0/0 for IPv4 traffic, or ::/0 for IPv6 traffic. Choose Save when you're done.

  6. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  7. In the navigation pane, choose Instances .

  8. Select the instance, choose Actions, then Networking, and then select Change Security Groups.

  9. In the Change Security Groups dialog box, clear the check box for the currently selected security group, and select the new one. Choose Assign Security Groups.

For more information about security groups, see Security Groups for Your VPC.

Adding Elastic IP Addresses

After you've launched an instance into the subnet, you must assign it an Elastic IP address if you want it to be reachable from the Internet over IPv4.

Note

If you assigned a public IPv4 address to your instance during launch, then your instance is reachable from the Internet, and you do not need to assign it an Elastic IP address. For more information about IP addressing for your instance, see IP Addressing in Your VPC.

To allocate an Elastic IP address and assign it to an instance using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Elastic IPs.

  3. Choose Allocate New Address.

  4. Choose Yes, Allocate.

    Note

    If your account supports EC2-Classic, first choose EC2-VPC from the Network platform list.

  5. Select the Elastic IP address from the list, choose Actions, and then choose Associate Address.

  6. In the Associate Address dialog box, select Instance or Network Interface from the Associate with list, and then either the instance or network interface ID. Select the private IP address to associate the Elastic IP address with from the Private IP address list, and then choose Yes, Associate.

For more information about Elastic IP addresses, see Elastic IP Addresses.

Detaching an Internet Gateway from Your VPC

If you no longer need Internet access for instances that you launch into a nondefault VPC, you can detach an Internet gateway from a VPC. You can't detach an Internet gateway if the VPC has instances with associated Elastic IP addresses.

To detach an Internet gateway

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Elastic IPs.

  3. Select the IP address, choose Actions, and then choose Disassociate Address. Choose Yes, Disassociate.

  4. In the navigation pane, choose Internet Gateways .

  5. Select the Internet gateway and choose Detach from VPC.

  6. In the Detach from VPC dialog box, choose Yes, Detach.

Deleting an Internet Gateway

If you no longer need an Internet gateway, you can delete it. You can't delete an Internet gateway if it's still attached to a VPC.

To delete an Internet gateway

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Internet Gateways.

  3. Select the Internet gateway and choose Delete.

  4. In the Delete Internet Gateway dialog box, choose Yes, Delete.

API and Command Overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available API actions, see Accessing Amazon VPC.

Create an Internet gateway

Attach an Internet gateway to a VPC

Describe an Internet gateway

Detach an Internet gateway from a VPC

Delete an Internet gateway