Connect to the internet using an internet gateway - Amazon Virtual Private Cloud

Connect to the internet using an internet gateway

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic.

An internet gateway enables resources in your public subnets (such as EC2 instances) to connect to the internet if the resource has a public IPv4 address or an IPv6 address. Similarly, resources on the internet can initiate a connection to resources in your subnet using the public IPv4 address or IPv6 address. For example, an internet gateway enables you to connect to an EC2 instance in AWS using your local computer.

An internet gateway provides a target in your VPC route tables for internet-routable traffic. For communication using IPv4, the internet gateway also performs network address translation (NAT). For communication using IPv6, NAT is not needed because IPv6 addresses are public. For more information, see IP addresses and NAT.

Configuration for internet access

To enable your instances to receive or send traffic from the internet, do the following:

To provide your instances with internet access without assigning them public IP addresses, use a NAT device instead. A NAT device enables instances in a private subnet to connect to the internet, but prevents hosts on the internet from initiating connections with the instances. For more information, see NAT devices.

Public and private subnets

If a subnet is associated with a route table that has a route to an internet gateway, it's known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it's known as a private subnet.

In your public subnet's route table, you can specify a route for the internet gateway to all destinations not explicitly known to the route table (0.0.0.0/0 for IPv4 or ::/0 for IPv6). Alternatively, you can scope the route to a narrower range of IP addresses; for example, the public IPv4 addresses of your company’s public endpoints outside of AWS, or the Elastic IP addresses of other Amazon EC2 instances outside your VPC.

IP addresses and NAT

To enable communication over the internet for IPv4, your instance must have a public IPv4 address. You can either configure your VPC to automatically assign public IPv4 addresses to your instances, or you can assign Elastic IP addresses to your instances. Your instance is only aware of the private (internal) IP address space defined within the VPC and subnet. The internet gateway logically provides the one-to-one NAT on behalf of your instance, so that when traffic leaves your VPC subnet and goes to the internet, the reply address field is set to the public IPv4 address or Elastic IP address of your instance, and not its private IP address. Conversely, traffic that's destined for the public IPv4 address or Elastic IP address of your instance has its destination address translated into the instance's private IPv4 address before the traffic is delivered to the VPC.

To enable communication over the internet for IPv6, your VPC and subnet must have an associated IPv6 CIDR block, and your instance must be assigned an IPv6 address from the range of the subnet. IPv6 addresses are globally unique, and therefore public by default.

In the following diagram, the subnet in Availability Zone A is a public subnet. The route table for this subnet has a route that sends all internet-bound IPv4 traffic to the internet gateway. The instances in the public subnet must have public IP addresses or Elastic IP addresses to enable communication with the internet over the internet gateway. For comparison, the subnet in Availability Zone B is a private subnet because its route table does not have a route to the internet gateway. Instances in the private subnet can't communicate with the internet over the internet gateway, even if they have public IP addresses.


                A VPC with an internet gateway
Internet access for default and nondefault VPCs

The following table provides an overview of whether your VPC automatically comes with the components required for internet access over IPv4 or IPv6.

Component Default VPC Nondefault VPC
Internet gateway Yes No
Route table with route to internet gateway for IPv4 traffic (0.0.0.0/0) Yes No
Route table with route to internet gateway for IPv6 traffic (::/0) No No
Public IPv4 address automatically assigned to instance launched into subnet Yes (default subnet) No (nondefault subnet)
IPv6 address automatically assigned to instance launched into subnet No (default subnet) No (nondefault subnet)

For more information about default VPCs, see Default VPCs. For more information about creating a VPC, see Create a VPC.

Work with internet gateways

The following describes how to support internet access from a subnet in your VPC using an internet gateway. To remove internet access, you can detach the internet gateway from your VPC and then delete it.

Create an internet gateway

Use the following procedure to create an internet gateway.

To create an internet gateway
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Internet gateways.

  3. Choose Create internet gateway.

  4. (Optional) Enter a name for your internet gateway.

  5. (Optional) To add a tag, choose Add new tag and enter the tag key and value.

  6. Choose Create internet gateway.

  7. (Optional) To attach the internet gateway to a VPC now, choose Attach to a VPC from the banner at the top of the screen, select an available VPC, and then choose Attach internet gateway. Otherwise, you can attach your internet gateway to a VPC at another time.

Attach an internet gateway to a VPC

To use an internet gateway, you must attach it to a VPC.

To attach an internet gateway to a VPC
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Internet gateways.

  3. Select the check box for the internet gateway.

  4. Choose Actions, Attach to VPC.

  5. Select an available VPC.

  6. Choose Attach internet gateway.

Detach an internet gateway from your VPC

If you no longer need internet access for instances that you launch into a VPC, you can detach an internet gateway from a VPC. You can't detach an internet gateway if the VPC has resources with associated public IP addresses or Elastic IP addresses.

To detach an internet gateway
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Internet gateways.

  3. Select the check box for the internet gateway.

  4. Choose Actions, Detach from VPC.

  5. When prompted for confirmation, choose Detach internet gateway.

Delete an internet gateway

If you no longer need an internet gateway, you can delete it. You can't delete an internet gateway if it's still attached to a VPC.

To delete an internet gateway
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Internet gateways.

  3. Select the check box for the internet gateway.

  4. Choose Actions, Delete internet gateway.

  5. When prompted for confirmation, enter delete, and then choose Delete internet gateway.

API and command overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available API actions, see Working with Amazon VPC.

Create an internet gateway
Attach an internet gateway to a VPC
Describe an internet gateway
Detach an internet gateway from a VPC
Delete an internet gateway

Pricing

There is no charge for an internet gateway, but there are data transfer charges for EC2 instances that use internet gateways. For more information, see Amazon EC2 On-Demand Pricing.