NAT (Network Address Translation) is one of the most critical networking concepts. It’s the reason your home network with private IPs can access the internet, and it’s fundamental to understanding cloud networking, firewalls, and security.The best analogy for NAT is a company receptionist handling phone calls. Employees (private IPs) all make outgoing calls, but the outside world only sees the company’s main phone number (public IP). The receptionist (NAT device) keeps a log: “Extension 204 is talking to Client X on line 3.” When Client X calls back, the receptionist checks the log and routes the call to extension 204. Without the receptionist, outsiders would have no idea how to reach a specific extension — and that is exactly the point.
Every device needs a public IP:Home:├── PC1: 203.0.113.1 (public)├── PC2: 203.0.113.2 (public)├── Phone: 203.0.113.3 (public)└── TV: 203.0.113.4 (public)Problem: ISP would need to give you 4+ public IPs Global IP exhaustion would happen much faster
Private IP Public IP192.168.1.10 ←────→ 203.0.113.10192.168.1.11 ←────→ 203.0.113.11192.168.1.12 ←────→ 203.0.113.12
Use Case: Servers that need consistent public IP (web servers, mail servers)Pros: Predictable, allows inbound connections
Cons: Doesn’t save IP addresses
Port Address Translation maps many private IPs to ONE public IP using port numbers. This is the type of NAT that makes the modern internet possible — it is what runs on your home router right now.
Private instance sends packet to internet (e.g., apt-get update)
Route table sends 0.0.0.0/0 traffic to NAT Gateway
NAT Gateway translates private IP to its Elastic IP
Response comes back to NAT Gateway
NAT Gateway translates back to private IP
Key Point: Private instances can reach OUT but internet cannot reach IN. This is the fundamental security model of cloud private subnets — your database servers can download security patches, but random internet traffic cannot reach them.
Cost awareness: AWS NAT Gateways charge per hour (~0.045/hr)plusper−GBdataprocessing(0.045/GB). In a busy environment, this adds up quickly. If your private instances are generating lots of outbound traffic (e.g., uploading to S3), consider using a VPC endpoint for S3 instead of routing through the NAT Gateway — it is both cheaper and faster.
Internet user wants to connect to your Minecraft server (port 25565)Without Port Forwarding:Internet → 203.0.113.50:25565 → Router → ??? (no mapping exists) ❌ DroppedWith Port Forwarding:Router config: External port 25565 → 192.168.1.100:25565Internet → 203.0.113.50:25565 → Router → 192.168.1.100:25565 ✓ Minecraft Server
Alice (behind NAT) Bob (behind NAT)192.168.1.10 192.168.1.20 │ │ NAT Router NAT Router203.0.113.10 198.51.100.20 │ │ └───────── Internet ────────────┘Problem: Neither can initiate connection to the other's private IP!
Port forwarding doesn’t work (you don’t control ISP’s NAT)
Slower due to double translation
Some games/VoIP may have issues
You might share public IP with hundreds of other customers
Troubleshooting NAT issues: If an application works for outbound connections but fails for inbound (hosting a game server, running a webcam), NAT is the likely culprit. Check these in order: (1) Verify your port forwarding rule matches the exact port and protocol (TCP vs UDP — a common mistake is forwarding TCP when the game uses UDP). (2) Check if you are behind CGNAT (your router’s WAN IP is in the 100.64.0.0/10 range) — if so, port forwarding from your router will not help because the ISP’s NAT sits in front of yours. (3) Test with nc -zv YOUR_PUBLIC_IP PORT from an external network to verify the port is actually reachable. (4) If behind CGNAT, your options are: request a static public IP from your ISP, use a VPN with port forwarding, or use a relay service.
# Check your router's WAN IP# If it's in 100.64.0.0/10, you're behind CGNAT# Your router's WAN IP: 100.64.x.x → CGNAT# Your router's WAN IP: Public IP → No CGNAT
People often confuse NAT with firewalls. They’re different:
Aspect
NAT
Firewall
Purpose
Address translation
Security filtering
Function
Rewrites IP/port
Allows/blocks traffic
Default Inbound
Drops (no mapping)
Configurable rules
Security
Side effect, not purpose
Primary purpose
NAT is NOT a security feature. It happens to block unsolicited inbound connections, but that’s a side effect of how it works, not a security guarantee. Think of it this way: a locked mailbox prevents random people from putting things in your house, but it was designed for mail delivery, not home security. A firewall is the deadbolt on your front door — purpose-built for protection. Always use a proper firewall.
Explain how PAT allows thousands of devices to share a single public IP. What are the limits?
Strong Answer:
PAT maps each outbound connection from a private IP:port pair to the public IP with a unique assigned port. When 192.168.1.10:54321 connects to Google, the router rewrites the source to 203.0.113.50:10001 and records the mapping. When Google responds to that public IP:port, the router translates back. The port number makes each connection unique.
The theoretical limit is 65,535 ports per protocol per destination. In practice, ephemeral ports are allocated from a narrower range. Each unique combination of public IP:port plus destination IP:port represents a separate connection.
Real-world limits are NAT table memory, CPU for translation, and port exhaustion. AWS NAT Gateways support 55,000 simultaneous connections per destination. I have seen environments hit this limit when an application opened thousands of short-lived HTTPS connections without connection pooling.
NAT also adds latency from table lookups and header rewrites. This is why AWS recommends VPC endpoints for high-throughput S3 access from private subnets — it bypasses NAT entirely.
Follow-up: Why does NAT break peer-to-peer, and how does WebRTC solve it?Both peers are behind NAT with no public IP:port the other can reach. NAT only creates entries for outbound connections. WebRTC uses ICE, which tries STUN first: each peer discovers their public IP:port via a STUN server, exchanges it through signaling, and attempts direct connection. This works for most NAT types. If STUN fails (symmetric NAT), ICE falls back to TURN, a relay server forwarding all traffic. About 80% of WebRTC connections succeed via STUN (direct, low latency), 20% need TURN (relayed, higher latency).
Is NAT a security feature? What is the difference between NAT and a firewall?
Strong Answer:
NAT’s purpose is address translation, not security. A firewall’s purpose is policy-based traffic filtering. They overlap because PAT inherently drops unsolicited inbound connections — with no matching NAT table entry, incoming packets are discarded.
However, calling NAT a security feature is misleading. NAT has no policy framework, no logging, no granular control. A firewall lets you define rules like “allow port 443 from 10.0.0.0/8, deny from everywhere else.” NAT’s implicit blocking is all-or-nothing. Port forwarding rules punch holes that NAT cannot control granularly.
Critically, if you rely on NAT for security and migrate to IPv6 (where NAT is unnecessary), you lose that implicit protection with no firewall rules in place.
Best practice: always deploy a proper firewall regardless of NAT. In AWS, security groups are your firewall, NAT Gateway handles translation. Separate services, separate responsibilities.
Follow-up: What is CGNAT and what problems does it cause?CGNAT puts you behind an additional ISP-level NAT using the 100.64.0.0/10 range. You are double-NATted: your device behind your router’s NAT, behind the ISP’s CGNAT. Problems include: port forwarding does not work (you cannot configure the ISP’s NAT), VPN and P2P degrade from double translation, IP-based geolocation breaks because you share a public IP with hundreds of customers, and gaming with strict NAT types suffers. Check by comparing your router’s WAN IP to whatismyip.com — if they differ and the WAN IP is in 100.64.x.x, you are behind CGNAT.
Your AWS bill shows high NAT Gateway data charges. How do you investigate and reduce cost?
Strong Answer:
Enable VPC Flow Logs on private subnets to identify which instances generate the most outbound NAT traffic. Aggregate by destination to find top traffic targets.
The most common culprit: instances accessing S3 through NAT instead of a free VPC Gateway Endpoint. Adding S3 and DynamoDB gateway endpoints can cut NAT bills by 60-80%. Traffic to other AWS services (SQS, SNS, ECR, CloudWatch) can go through Interface VPC Endpoints, also bypassing NAT.
Check for chatty monitoring agents sending metrics to external SaaS. Consider aggregating locally or using AWS-native monitoring. Check for health checks against external endpoints that could be internal.
NAT Gateway costs roughly 0.045/GBeachdirection.At10TB/month,thatis450/month in processing alone. Gateway endpoints are free for S3 and DynamoDB.
Follow-up: What is the difference between a Gateway Endpoint and an Interface Endpoint?Gateway endpoints are free, route-table-based, and only support S3 and DynamoDB. Traffic routes through a prefix list entry directly within AWS’s network. Interface endpoints use PrivateLink, creating an ENI with a private IP in your subnet. They support 100+ AWS services and third-party services. They have hourly (0.01/hrperAZ)andper−GB(0.01/GB) charges, but this is still cheaper than NAT Gateway fees for high-volume traffic. Rule of thumb: always create free S3/DynamoDB gateway endpoints, add interface endpoints when NAT traffic to a service exceeds a few hundred GB per month.
