In AWS, instances in a private subnet have no internet access by default — that's intentional, for security. But sometimes they still need to reach the internet (e.g., to download updates or call an external API).
You can't just attach an Internet Gateway to them — that would make them publicly reachable, which defeats the purpose of a private subnet.
NAT Gateway solves this. It lets private instances initiate outbound requests to the internet, but blocks any unsolicited inbound traffic. The outside world only sees the NAT Gateway's IP — never the private instance's IP.
NAT Gateway cannot directly connect to the internet — it has no door to the outside world on its own. The Internet Gateway (IGW) is the only exit point from a VPC to the internet.
So the full path looks like this:
Private EC2 → NAT Gateway → Internet Gateway → Internet
The key insight: When you set up your VPC, you already created an IGW and added 0.0.0.0/0 → IGW in your public subnet's route table. NAT Gateway simply piggybacks on that existing setup — you place it in the public subnet, and it automatically uses the route to IGW that's already there.
You never need to create a new IGW or touch the existing one. Half the work is already done.
Public Subnet Route Table (already exists from VPC setup):
0.0.0.0/0 → IGW ✅
NAT Gateway sits in public subnet → uses this route → reaches internet