AWS Services
NAT Gateway vs VPC Endpoints
Compare NAT gateways and VPC endpoints for private subnet outbound access, AWS service access, security boundaries, availability, cost, and SAA-C03 exam traps.
After this, you will understand
This comparison turns private subnet egress questions into a clean decision: broad outbound access through NAT or private service-specific access through endpoints.
Use NAT Gateway when private workloads need outbound access to the internet or external networks; use VPC endpoints when they need private access to supported AWS services.
Learners route every private subnet AWS API call through NAT and miss cheaper, narrower, more private endpoint paths.
List each outbound dependency, then decide whether it is an external destination, a supported AWS service, or a private service exposed through PrivateLink.
Think before readingWhen should a private subnet use a NAT Gateway instead of a VPC endpoint?
Reading in progress
This page is saved in your local study history so you can continue later.
Study path
Read these in order
Start with the mechanics, then move into the patterns that explain why the system is shaped this way.
Concepts Covered
- NAT gateways
- Public and private NAT gateways
- Gateway VPC endpoints
- Interface VPC endpoints
- Private subnet egress
- Internet-bound traffic
- AWS service traffic
- Route table decisions
- Endpoint policies
- SAA-C03 cost and security traps
1. Plain-English Mental Model
A NAT Gateway is an outbound door for private resources. It lets private subnet workloads initiate connections to destinations outside the VPC without allowing unsolicited inbound connections back to those workloads.
A VPC endpoint is a private service door. It gives a VPC a private path to a supported AWS service, an endpoint service, or a supported private resource pattern without using a general internet egress path.
The short model is:
NAT Gateway = outbound path to internet or external networks
VPC endpoint = private path to a specific supported service
This distinction matters because private subnet workloads often need two very different kinds of outbound access:
- downloading patches, calling third-party APIs, or reaching public package repositories
- calling AWS services such as S3, DynamoDB, KMS, Secrets Manager, ECR, STS, or CloudWatch Logs
Those are not the same problem.
2. Why This Service Exists
Private subnets are meant to reduce direct internet exposure, but private workloads still need dependencies.
An EC2 instance may need operating system updates. An ECS task may need to pull a container image. A Lambda function attached to a VPC may need Secrets Manager. A data processing job may need S3. A backend service may need to call a payment provider.
NAT Gateway exists because private workloads sometimes need to initiate outbound connections beyond the VPC. VPC endpoints exist because many AWS service calls should not require a broad internet egress path.
For SAA-C03, the exam often hides the answer in a phrase:
- "private subnet needs outbound internet access" points to NAT Gateway
- "private subnet needs S3 without NAT" points to an S3 gateway endpoint
- "private access to AWS service APIs without public internet" often points to interface endpoints
- "least cost private access to S3 or DynamoDB" usually points to gateway endpoints
3. The Naive Approach And Where It Breaks
The naive design sends all private subnet traffic through NAT:
private workload -> NAT Gateway -> internet gateway -> destination
That can work, but it has three problems.
First, it is broad. A NAT route to 0.0.0.0/0 gives private workloads a general outbound path unless other controls limit it.
Second, it can be expensive. NAT gateways have hourly and data processing charges. High-volume S3 or DynamoDB traffic can make this painfully visible.
Third, it is less precise than the requirement. If the workload only needs S3, the architecture does not need general outbound internet access.
The opposite mistake is assuming endpoints replace NAT completely. They do not. If a private subnet app must call a public SaaS API, download packages from the internet, or reach an unsupported external endpoint, a VPC endpoint is not the answer unless that destination is exposed through an applicable private connectivity pattern.
4. Core Primitives
A public NAT Gateway is placed in a public subnet and associated with an Elastic IP address. Private subnet route tables send outbound internet-bound IPv4 traffic to the NAT gateway. The NAT gateway uses the public subnet's route to the internet gateway.
A private NAT Gateway supports private connectivity to other VPCs or on-premises networks through routes such as Transit Gateway or virtual private gateway paths. It is not an internet egress gateway.
A gateway VPC endpoint is a route table target for supported services, primarily S3 and DynamoDB for SAA-C03. AWS adds service prefix list routes to selected route tables.
An interface VPC endpoint creates endpoint network interfaces in selected subnets. Those ENIs have private IP addresses and security groups. Private DNS can make normal AWS service names resolve to the endpoint inside the VPC.
Endpoint policies can restrict how an endpoint is used. They do not replace IAM permissions, resource policies, or KMS key policies.
5. Architecture Use Cases
Use NAT Gateway when private instances need to download operating system packages from internet repositories.
Use NAT Gateway when applications must call external SaaS APIs that are only available on public internet endpoints.
Use an S3 gateway endpoint when private EC2 instances, ECS tasks, or batch jobs need private access to S3 in the same Region without NAT.
Use a DynamoDB gateway endpoint when private workloads need DynamoDB access without NAT.
Use interface endpoints for AWS service APIs that support PrivateLink, such as Secrets Manager, KMS, STS, Systems Manager, ECR APIs, ECR Docker registry, CloudWatch Logs, and many others.
A locked-down private compute design may look like this:
private ECS task
-> gateway endpoint for S3
-> interface endpoint for ECR API
-> interface endpoint for ECR Docker registry
-> interface endpoint for CloudWatch Logs
-> interface endpoint for Secrets Manager
If no external internet calls remain, NAT may not be needed for that workload.
7. Security Model
NAT Gateway is a network address translation path. It does not decide which AWS API actions a role can perform. It also does not inspect application intent.
Security groups on the workload, NACLs, route tables, firewall services, DNS controls, and IAM policies still matter.
VPC endpoints can narrow the network path to supported services. Gateway endpoints use route tables. Interface endpoints use security groups on endpoint ENIs. Endpoint policies can add another authorization layer.
For S3, a bucket policy can restrict access to a specific VPC endpoint. This prevents access to that bucket from unexpected paths even if the principal has credentials.
For NAT-based egress, egress security may require additional controls such as AWS Network Firewall, Route 53 Resolver DNS Firewall, proxy patterns, or strict security group egress rules.
The key security distinction:
NAT = broad outbound path
endpoint = service-specific private path
8. Reliability And Resilience
NAT Gateway is an Availability Zone scoped resource in normal designs. For highly available private subnet egress, place NAT gateways in multiple AZs and route each private subnet to the NAT gateway in the same AZ where possible.
If private subnets in multiple AZs all route to one NAT gateway, that NAT gateway and its AZ become an egress dependency.
Gateway endpoints are managed and should be associated with every route table whose subnets need the service path.
Interface endpoints should be deployed in the Availability Zones where dependent workloads run. Otherwise, workloads may depend on endpoint ENIs in another AZ, adding cross-AZ dependency and cost.
Endpoints do not make the target service available if the service itself has an outage. They improve the connectivity path, not every downstream failure mode.
9. Performance And Scaling
NAT Gateway is managed and scales, but it is still a shared egress path in your architecture. Heavy traffic through NAT can create cost and observability concerns.
VPC endpoints can remove AWS service traffic from NAT paths. This can reduce egress bottlenecks and make traffic paths easier to reason about.
Gateway endpoints are efficient for S3 and DynamoDB because route tables send service-destined traffic directly to the endpoint target.
Interface endpoints use ENIs and PrivateLink. Good subnet and AZ placement matters because clients connect to private IP addresses in those subnets.
Performance questions usually come down to the destination. External dependency means NAT or another egress design. Supported AWS service means endpoint if private access is required.
10. Cost Model
NAT Gateway commonly charges for hourly usage and data processing. Data transfer can also matter depending on route and destination.
Gateway endpoints for S3 and DynamoDB have no additional endpoint hourly charge, making them a frequent lowest-cost answer for private access to those services.
Interface endpoints generally have hourly and data processing charges. They can still be cheaper than NAT for some traffic patterns, and they may satisfy security requirements NAT cannot.
Do not assume "endpoint" always means cheaper. Compare endpoint hourly charges, number of AZs, data volume, NAT charges, and the security value of private paths.
For SAA-C03, the classic cost trap is sending high-volume S3 traffic from private subnets through NAT when an S3 gateway endpoint satisfies the requirement.
12. SAA-C03 Exam Signals
"Private subnet needs outbound internet access" points to NAT Gateway.
"Private subnet instances need OS updates" often points to NAT Gateway unless the update source is available through another private path.
"Private subnet EC2 needs S3 access without NAT" points to an S3 gateway endpoint.
"Private subnet app needs DynamoDB without NAT" points to a DynamoDB gateway endpoint.
"Access Secrets Manager, KMS, STS, ECR, CloudWatch Logs, or Systems Manager privately" often points to interface endpoints.
"Reduce NAT gateway data processing cost for S3 access" points to a gateway endpoint.
"External services must not initiate connections to private instances" is consistent with NAT behavior, but security groups and routes still matter.
13. Common Exam Traps
Do not use NAT Gateway when the only dependency is S3 or DynamoDB private access.
Do not use a gateway endpoint for arbitrary AWS services. Gateway endpoints are not the universal endpoint type.
Do not assume VPC endpoints grant IAM permission.
Do not put a public NAT Gateway in a private subnet.
Do not use one NAT Gateway in one AZ for a highly available multi-AZ app without understanding the dependency.
Do not assume private NAT Gateway provides internet access. It is for private network destinations through private routing paths.
Do not forget private DNS for interface endpoints when applications use normal AWS SDK service hostnames.
15. Related Topics
Review VPC Endpoints And PrivateLink, Gateway vs Interface VPC Endpoints, Public vs Private Subnets, and Private App Access To S3.
Official AWS references:
What to study next
These links keep the session moving: read prerequisites first, then open the systems, concepts, and patterns that deepen this page.
Prerequisites
Read these first if the mechanics feel unfamiliar.
More Links
Additional references connected to this page.