# NAT Gateway ## What Is NAT Gateway? NAT Gateway lets instances inside a Virtual Private Cloud (VPC) communicate with the internet — without requiring each instance to have its own public IP address. In a typical VPC setup, instances are assigned private IP addresses that aren't reachable from the internet. NAT Gateway bridges the gap: it sits at the edge of your VPC, translates private addresses to public ones when traffic leaves, and reverses the translation when replies come back. From the internet's perspective, all outbound traffic from your VPC appears to originate from the gateway's Elastic IPs. NAT Gateway also supports inbound forwarding: you can map a public IP and port directly to a private endpoint inside your VPC, allowing external clients to reach specific services without exposing those instances to the internet directly. NAT Gateways can be associated with security groups for traffic filtering, giving you control over which traffic the gateway accepts and forwards. ![NAT Gateway Architecture](/files/fP3ejqts2bzNa0u5lFSU) *** ## When to Use NAT Gateway **Your instances need internet access but shouldn't have public IPs.** The most common use case. Database servers, worker nodes, internal APIs — any instance that needs to fetch packages, call external APIs, or send data outbound, but shouldn't be directly reachable from the internet. Assign a NAT Gateway to those subnets and they get internet access without an EIP per instance. ![Private instances reach the internet without public IPs](/files/lpQIEFEbg4StKyenYO9V) **You want a stable, predictable egress address.** When your instances call third-party APIs that whitelist by IP, you need a fixed source address. With SNAT, all outbound traffic from a subnet exits through the same EIP — or a small pool of EIPs — making whitelisting straightforward. ![Stable, predictable egress address for IP whitelisting](/files/c823qOMOZBmZmIwnSUWU) **You need to expose a single service port without a full public IP.** A NAT Gateway DNAT entry can map a public EIP and port directly to one private instance. This is useful when you want to provide SSH access, expose a single API endpoint, or front a backend service — without assigning a public IP to the instance itself. ![Expose a single service port via DNAT without giving the instance a public IP](/files/QYx8E5jpDOYa5BbdD6zk) **You're running a large fleet and want to consolidate egress.** Instead of allocating and managing one EIP per instance, a NAT Gateway lets dozens or hundreds of instances share a small EIP pool for outbound traffic. This simplifies address management and reduces EIP costs. ![Consolidate egress for a large fleet through a small EIP pool](/files/yda3o3imsGtprpgTKa8W) **Your workload runs in another cloud and you want cheaper internet egress.** If your instances live in a cloud where outbound bandwidth is expensive, you can keep the workload there and use Zenlayer as the network entry point. Attach a Border Gateway to the NAT Gateway and connect it back to the other cloud over a private link. The other-cloud instances reach the internet through the NAT Gateway's EIP at Zenlayer's bandwidth rate; replies follow the same path back. The other cloud only pays for private-link traffic — no per-GB internet egress. ![Use Zenlayer NAT Gateway as cheap egress for instances in another cloud](/files/7aYwSqjVisOOSwiqHaxy) *** ## When NAT Gateway Is Not the Right Fit * If an instance needs a persistent, dedicated public IP for inbound connections from many clients simultaneously, assign an Elastic IP directly to that instance rather than routing all traffic through a DNAT entry. * If your VPC needs full bidirectional connectivity with another network (on-premises or cross-region), use Border Gateway instead of NAT Gateway. * If you need Layer 7 load balancing or TLS termination for inbound traffic, use a load balancer in front of your instances rather than DNAT entries on a NAT Gateway. *** ## In This Guide | Page | What You'll Learn | | -------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | | [NAT Gateway](/welcome/elastic-compute/networking/01-overview-3/02-nat-gateway.md) | How the gateway works, its lifecycle, and how CU billing is calculated | | [SNAT — Outbound Access](/welcome/elastic-compute/networking/01-overview-3/03-snat.md) | Giving subnets internet access through shared EIPs | | [DNAT — Inbound Forwarding](/welcome/elastic-compute/networking/01-overview-3/04-dnat.md) | Forwarding public traffic to specific private endpoints | | [VPC Routing](/welcome/elastic-compute/networking/01-overview-3/05-routing.md) | How NAT Gateway affects your VPC route table | | [Best Practices](/welcome/elastic-compute/networking/01-overview-3/06-best-practices.md) | Recommendations and troubleshooting | | [Configuration Guide](/welcome/elastic-compute/networking/01-overview-3/07-configuration-guide.md) | Step-by-step console instructions | *** ## Frequently Asked Questions **Do my instances need any changes to use NAT Gateway?** No. Once a SNAT entry is created and the VPC routes are in place, instances in the covered subnets automatically use the gateway for outbound traffic. No software changes or additional configuration on the instances are required. **Can one NAT Gateway serve all subnets in my VPC?** A NAT Gateway is a regional resource, and our VPCs are global. A single gateway can serve every subnet of the VPC that sits in the gateway's region — either all of them or a chosen subset — but it cannot serve subnets in other regions. For egress from another region, create a NAT Gateway in that region. **Can I use the same EIP for both outbound (SNAT) and inbound (DNAT)?** Yes. The same EIP can appear in a SNAT entry as a shared egress address and also in one or more DNAT entries for specific port mappings. Outbound and inbound translations are tracked independently. **Is there any downtime when I create or modify entries?** Existing connections are not interrupted when you add a new SNAT or DNAT entry. New entries become active after the gateway applies the rule. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.console.zenlayer.com/welcome/elastic-compute/networking/01-overview-3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.