Megaport Logo

Connectivity Solutions

Additional Products

Dedicated Compute, On Demand
Dedicated Compute, On Demand
Spin up Latitude.sh CPUs and GPUs in key markets, then use Megaport private connectivity to reach clouds and data centers across 1,000+ locations with predictable performance.
Explore Compute

Cloud Providers

Additional Services

Megaport Exchanges

Explore the Megaport Ecosystem
Explore the Megaport Ecosystem
Connect anywhere, anytime, with unparalleled speed, flexibility, and choice.
Learn more
Data Centers

Explore

Build

Join the Megaport Community
Join the Megaport Community
The community for network engineers, IT leaders, and partners to swap ideas and build what’s next.
Join Community

Get in touch

Corporate Info

Partners

It's official: Megaport x Latitude.sh
It's official: Megaport x Latitude.sh
Latitude.sh dedicated compute meets Megaport private connectivity so you can launch fast and run anywhere.
Press Start
Login
Free Demo
A Guide to NAT Gateway

A Guide to NAT Gateway

By Ryan Cassily, Solutions Architect

What it is, how it works, when to use it, and how to optimize it.

Table of Contents

Network Address Translation (NAT) has been around for a long time, playing a critical role in extending the lifespan of IPv4 as well as providing breathing room for deploying IPv6. Enterprises have been using it for decades in their corporate and data center networks as an integral part of their network management and security portfolio.

As organizations change the way they use cloud-based services, IT teams look to tighten their security while scaling their private subnets with ease. To solve this problem, NAT gateway is a natural addition to their network. We look at how it works, when to use it, and how you can get more from it.

What is a NAT gateway?

A Network Address Translation (NAT) gateway allows your resources located in a private subnet to safely access the public internet and other external resources, without allowing inbound connections back to them. These resources are virtual machines (VMs) like databases, app servers, or even managed services, often running with extensive data requirements.

Acting as a conduit, a NAT gateway essentially translates private IP addresses to public ones for outbound traffic.

How do NAT gateways work?

Say a resource in one of your private subnets needs to download an update from the internet. The NAT gateway will receive and handle that request, replacing the IP with its own public IP before sending the request out and returning the response. Only solicited inbound responses will be allowed, so your resource will receive the required update but any other requests will be denied.

NAT gateway offerings from major cloud providers

AWS

AWS provides both public and private NAT gateways. Public (default) instances allow resources in a private subnet to connect to the internet by translating the private source IP address to a public IP address. The instances can’t receive unsolicited inbound connections from the internet.

Private instances allow resources in a private subnet to connect to other VPCs or your on-premises network through a private NAT gateway, but the instances can’t receive unsolicited inbound connections from the other VPCs or the on-premises network.

Both instances are highly scalable and managed by AWS, supporting 5 Gbps bandwidth and automatically scaling up to 100 Gbps.

Azure

Azure NAT Gateway is attached to your VNet subnet and doesn’t require any additional routing configurations. It allows you to initiate connections from your virtual network to the internet while blocking unsolicited inbound connections. Each NAT Gateway automatically scales up to 50 Gbps.

Google Cloud

Google Cloud NAT provides both public and private NAT types. Public NAT allows internal virtual machines with private IP addresses to reach destinations on the internet while also blocking unsolicited traffic; private NAT allows internal virtual machines to communicate between VPC networks.

Google Cloud NAT auto-scales to accommodate egress bandwidth limits for routing outside a VPC network per-instance, up to 25 Gbps.

Oracle

Oracle NAT Gateway attaches to a Virtual Cloud Network (VCN) and allows outbound connectivity to the internet from a private network while blocking unsolicited traffic. You can configure only one NAT Gateway per VCN, which supports up to 20,000 concurrent connections to a single destination.

There is no cost for the NAT Gateway, however, there is an outbound data charge.

Benefits of NAT gateway

  • Tighter security: Keeps private resources hidden from the internet while still allowing outbound traffic.
  • High availability: Can operate across multiple fault-isolated zones or data centers (e.g. AWS Availability Zones).
  • Simplified management: Typically offered as a managed service, reducing maintenance and operational overhead.
  • Consistent outbound identity: Uses a fixed public IP address for all outbound traffic, making access control and allow-listing easier.
  • Better performance: Designed to handle large volumes of network traffic automatically.
  • Seamless integration: Works easily with virtual networks, route tables, and hybrid connectivity setups in any cloud environment.

When to use NAT gateway

If your organization is mid- to enterprise-sized and moves a lot of data, NAT gateway is worth implementing. Key use cases include:

  • Private instance internet access: Allow EC2 instances in private subnets to access the internet for updates, patches, or software downloads.
  • Access external APIs or services: Enable backend servers to call external APIs or third-party services without exposing their IPs.
  • Secure data transfer: Let private resources send data to the internet (e.g. upload to S3 or external analytics) while preventing inbound access.
  • Hybrid connectivity: Support on-premises systems that connect to cloud resources through a VPN or Direct Connect, where only outbound internet access is required.
  • Compliance or security isolation: Maintain strict network segmentation for compliance while still allowing outbound connectivity for controlled operations.
  • Managed service access: Allow private subnets to connect to public endpoints without giving the instances public IPs.

How to deploy NAT Gateway

NAT Gateway needs to be deployed through your cloud provider (if they offer this) or a third-party provider like Megaport.

Megaport NAT Gateway offers a seamless deployment and management experience directly from the Megaport Portal. Provision in minutes and get central visibility alongside your other Megaport services for simpler network admin and resource monitoring.

Beyond the basic usage statistics displayed in the portal for all Megaport services, users requiring more in-depth insights and advanced service monitoring capabilities can also use the comprehensive suite of Megaport API endpoints. These powerful tools allow users to programmatically access detailed statistics, configure service parameters, and integrate NAT gateway monitoring into their existing network management systems.

An API-first approach provides the flexibility needed for large-scale deployments, automation, and complex operations, giving users complete control and transparency over their NAT gateway performance and usage.

How to optimize NAT Gateway

Performance

Look for a provider that offers multiple performance tiers you can move between virtually to scale with your needs. Megaport NAT Gateway’s performance options make it easy to cater to any deployment scenario – from cloud provider internet access to connectivity between overlapping IP address space.

Security

To optimize the security of your NAT gateway, pair it with strict egress filtering to control what your private resources can reach on the internet. This covers the outbound portion of your setup.


Megaport NAT Gateway allows connectivity to be initiated from your private subnets (located in a cloud provider network) to the internet, while blocking unsolicited inbound internet traffic from reaching your private networks. Combine this with firewall service chaining from Megaport Virtual Edge (MVE)for multi-layered protection.

Cost

Cost is the big conversation here. NAT gateways are an example of a metered service, meaning they balloon with scale. For businesses moving huge amounts of data, the costs associated with NAT can grow exponentially if left unchecked.

Between hyperscaler egress fees and the inherent inefficiencies of traditional connectivity solutions, enterprises can be left with an eye-watering data bill—often over $5 million (and sometimes up to $50 million) per annum—thanks to:

  • Compounding egress fees: Every GB you move out of a hyperscaler network costs you money. At scale, these fees can become astronomical.
  • Inefficient scaling: While some solutions work well at a smaller size, pricing models don’t always scale efficiently with your growth.
  • Locked vendor pricing: Traditional cloud providers dictate your NAT costs, limiting flexibility and potential savings.

Again, by far the easiest and most efficient way to reduce and manage costs is to introduce a private connectivity solution for your underlying connectivity, so you don’t have to pay hyperscaler rates. This caps your fees, becoming incredibly cost-effective when you’re managing and moving large amounts of data.

Megaport NAT Gateway

If you’re running a high-volume software operation, managing enterprise-scale cloud infrastructure, or dealing with petabytes of NAT traffic, you’ll see significant cost savings with Megaport NAT Gateway – up to 70% or even more.

  • Scalable cost savings: While smaller workloads may have a breakeven point, the bigger your NAT needs, the more you save. For example, a business handling 1 petabyte of data a month can save over $78,000, or 76% of its NAT bill, monthly – translating to nearly $1 million in annual savings.
  • Drastically lower egress fees: Instead of paying hyperscaler rates, you can take advantage of Megaport’s more cost-effective network backbone to reduce expensive ingress and egress charges.
  • High availability and scalability: Our solution is built to handle enterprise-scale workloads while maintaining network resilience, with 1,100 + global locations and available bandwidth of up to 100G.
  • Flexibility to grow with you: With our vendor-neutral, scalable network underlay, you’re never locked into a single provider’s pricing and your network can simply grow alongside your business needs.

Discover Megaport NAT Gateway.

Tags:

Related Posts

3 Key Networking Questions to Answer for Your Cloud Customers

3 Key Networking Questions to Answer for Your Cloud Customers

In managed services, systems integration, and cloud-native technologies, you’re entrusted by your customers to provide cloud-based expertise. But are you ready to address the key networking questions that drive success in the cloud?

Read More
How RedShield is Using NaaS to Stay Safe Online

How RedShield is Using NaaS to Stay Safe Online

Read how RedShield’s shift from public to private connectivity has boosted security and performance for both them and their customers.

Read More
Webinar Transcript and Video: Multicloud Over Coffee With Google Cloud

Webinar Transcript and Video: Multicloud Over Coffee With Google Cloud

Google Cloud, Megaport, Qwinix, and 1623 Farnam recently held a webinar to talk about deploying multicloud to build agile, future-proof networks in a time of increased IT complexity caused by distributed workforces and applications.

Read More