AWS::EC2::NatGateway - AWS CloudFormation


Specifies a network address translation (NAT) gateway in the specified subnet. You can create either a public NAT gateway or a private NAT gateway. The default is a public NAT gateway. If you create a public NAT gateway, you must specify an elastic IP address.

With a NAT gateway, instances in a private subnet can connect to the internet, other AWS services, or an on-premises network using the IP address of the NAT gateway.

If you add a default route (AWS::EC2::Route resource) that points to a NAT gateway, specify the NAT gateway ID for the route's NatGatewayId property.

For more information, see NAT Gateways in the Amazon VPC User Guide.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::EC2::NatGateway", "Properties" : { "AllocationId" : String, "ConnectivityType" : String, "SubnetId" : String, "Tags" : [ Tag, ... ] } }


Type: AWS::EC2::NatGateway Properties: AllocationId: String ConnectivityType: String SubnetId: String Tags: - Tag



[Public NAT gateway only] The allocation ID of the Elastic IP address that's associated with the NAT gateway. This property is required for a public NAT gateway and cannot be specified with a private NAT gateway.

Required: Conditional

Type: String

Update requires: Replacement


Indicates whether the NAT gateway supports public or private connectivity. The default is public connectivity.

Required: No

Type: String

Allowed values: private | public

Update requires: Replacement


The ID of the subnet in which the NAT gateway is located.

Required: Yes

Type: String

Update requires: Replacement


The tags for the NAT gateway.

Required: No

Type: List of Tag

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name. For example, nat-0a12bc456789de0fg.

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The ID of the NAT gateway.


NAT gateway

The following example creates a public NAT gateway and a route that sends all internet-bound traffic from the private subnet with EC2 instances to the NAT gateway. A public NAT gateway uses an elastic IP address to provide it with a public IP address that doesn't change. Note that the route table for the public subnet with the NAT gateway must also have a route that sends all internet-bound traffic to an internet gateway, so that the NAT gateway can connect to the internet.


"NATGateway" : { "Type" : "AWS::EC2::NatGateway", "Properties" : { "AllocationId" : { "Fn::GetAtt" : ["NATGatewayEIP", "AllocationId"] }, "SubnetId" : { "Ref" : "PublicSubnet" }, "Tags" : [ {"Key" : "stack", "Value" : "production" } ] } }, "NATGatewayEIP" : { "Type" : "AWS::EC2::EIP", "Properties" : { "Domain" : "vpc" } }, "RouteNATGateway" : { "DependsOn": [ "NATGateway" ], "Type" : "AWS::EC2::Route", "Properties" : { "RouteTableId" : { "Ref" : "PrivateRouteTable" }, "DestinationCidrBlock" : "", "NatGatewayId" : { "Ref" : "NATGateway" } } }


NATGateway: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NATGatewayEIP.AllocationId SubnetId: !Ref PublicSubnet Tags: - Key: stack Value: production NATGatewayEIP: Type: AWS::EC2::EIP Properties: Domain: vpc RouteNATGateway: DependsOn: NATGateway Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable DestinationCidrBlock: '' NatGatewayId: !Ref NATGateway