👈

🌐 Internet Gateway (IGW) in AWS – Complete Explanation

🌐 Internet Gateway (IGW) in AWS – Complete Explanation

1️⃣ What is an Internet Gateway?

An Internet Gateway (IGW) is a managed AWS component that allows communication between a VPC and the public internet.

Simple definition:

An Internet Gateway enables resources inside a VPC to connect to the internet and allows internet traffic to reach public resources in the VPC.

2️⃣ Why Internet Gateway Is Needed

Let’s first understand the problem.

🔴 Problem 1: VPC Is Isolated by Default

When you create a VPC:

It is a private network
It has no internet access
Even if an EC2 has a public IP, it cannot access the internet

Why? Because:

There is no path to the internet

🔴 Problem 2: Internet Needs a Logical Entry/Exit Point

AWS does not allow:

Random internet traffic directly entering your VPC

Instead:

Internet traffic must pass through a controlled gateway

✅ Solution: Internet Gateway

The Internet Gateway:

Acts as the bridge between your VPC and the internet
Provides routing + translation support

3️⃣ What Exactly Does an Internet Gateway Do?

An IGW performs two critical functions:

🔹 1. Route Target for Internet Traffic

The IGW acts as a target in route tables.

Example:

0.0.0.0/0 → Internet Gateway

This tells AWS:

“Send all unknown traffic to the internet through IGW”

🔹 2. Public IP Translation (One-to-One NAT)

The IGW performs NAT for public IPv4 addresses:

Maps public IP ↔ private IP
For instances that have a public IP

This is NOT the same as NAT Gateway.

4️⃣ Important Characteristics of Internet Gateway

Feature	IGW
Managed by AWS	✅ Yes
Scalable	✅ Automatically
Highly available	✅ Yes
Attached to VPC	✅ One IGW per VPC
Stateful	❌ No
Firewall	❌ No

5️⃣ Internet Gateway vs NAT Gateway (High-Level)

Feature	IGW	NAT Gateway
Direction	Inbound + Outbound	Outbound only
Used by	Public subnets	Private subnets
Requires public IP	Yes	No
Accepts inbound traffic	Yes	No

6️⃣ How Internet Gateway Works (Traffic Flow)

Let’s break this into clear packet-level flow.

🟢 Scenario: Public EC2 Accessing Internet

Assume:

VPC CIDR: 10.0.0.0/16
Public Subnet: 10.0.1.0/24
EC2 private IP: 10.0.1.10
EC2 public IP: 3.110.45.21

Step-by-Step Flow (Outbound)

1️⃣ EC2 sends request

Source IP: 10.0.1.10
Destination IP: 142.250.195.14 (google.com)

2️⃣ Route Table Check

Route table has:

0.0.0.0/0 → IGW

So traffic is sent to IGW.

3️⃣ Internet Gateway Translation

IGW replaces:

Source IP: 10.0.1.10 → 3.110.45.21

4️⃣ Traffic goes to Internet

Internet sees request from:

3.110.45.21

Step-by-Step Flow (Inbound Response)

5️⃣ Internet responds

Destination IP: 3.110.45.21

6️⃣ IGW maps back

IGW maps:

3.110.45.21 → 10.0.1.10

7️⃣ Security Group Check

Inbound traffic allowed only if:

Security Group allows it

✔ Connection successful ✔ EC2 accessed internet

7️⃣ Conditions Required for Internet Access (VERY IMPORTANT)

For an EC2 instance to access the internet via IGW, ALL must be true:

✅ 1. Internet Gateway attached to VPC

✅ 2. Route table has `0.0.0.0/0 → IGW`

✅ 3. EC2 has a public IPv4 address

✅ 4. Security Group allows traffic

✅ 5. NACL allows traffic

❗ Missing any one → No internet

8️⃣ Public Subnet Explained Using IGW

A public subnet is NOT special by name.

A subnet is public only if:

Its route table points to an Internet Gateway

0.0.0.0/0 → IGW

9️⃣ Private Subnet and IGW

Private subnets:

Do NOT have a route to IGW
Use NAT Gateway instead

❗ If a private subnet points to IGW:

It becomes public

🔟 Internet Gateway and Security

Important Clarification:

Internet Gateway does NOT provide security.

It does:

Routing
Address translation

It does NOT:

Block traffic
Inspect packets
Act like firewall

Security is enforced by:

Security Groups
NACLs
AWS WAF

1️⃣1️⃣ Internet Gateway vs Firewall (Common Confusion)

Feature	IGW	Firewall
Allows internet access	✅ Yes	❌ No
Filters traffic	❌ No	✅ Yes
Route traffic	✅ Yes	❌ No

1️⃣2️⃣ Attaching an Internet Gateway

Steps:

Create IGW
Attach to VPC
Update route table

Without step 3: ❌ No internet

1️⃣3️⃣ Internet Gateway Limitations

One IGW per VPC
No security rules
No traffic logging
No inbound restriction by itself

1️⃣4️⃣ Common AWS Exam Traps

❓ EC2 has public IP but no internet

➡ Route table missing IGW

❓ Private EC2 reachable from internet

➡ Impossible via IGW alone

❓ IGW attached but still no access

➡ Security Group / NACL issue

1️⃣5️⃣ Internet Gateway with IPv6

For IPv6:

IGW provides direct routing
No NAT required
Public IPv6 addresses are globally routable

1️⃣6️⃣ Real-World Analogy

Internet Gateway = Main Gate of a Society

Only one gate
All outsiders enter here
Security guards (SG/NACL) decide entry
Roads (route tables) guide traffic

1️⃣7️⃣ One-Line Exam Definition

An Internet Gateway is a horizontally scaled, highly available AWS component that enables communication between a VPC and the internet.

1️⃣8️⃣ Key Differences Summary

Component	Purpose
IGW	Internet access
Route Table	Traffic direction
SG	Instance security
NACL	Subnet security
NAT Gateway	Private outbound access

1️⃣9️⃣ Final Summary (Very Important)

IGW connects VPC to internet
Required for public subnets
Works with route tables
Requires public IP
Does not provide security
Essential AWS networking component

2️⃣0️⃣ Mental Model to Remember

EC2 → Route Table → Internet Gateway → Internet