Question posted in 
To start, I’m a bit of a beginner to AWS, so excuse my ignorance.
So lets say you have EC2 instances in a private subnet that need to download files from the internet. Can we use a NAT gateway for this? The reason I ask is because the NAT Gateway docs say:
"Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet."
If this is the case, then how would documents be downloaded from the internet? Maybe my concept of how the connections work is wrong, if so please correct me
This is just an exam question, would love to get some insight on this (I’ve tried reading up on docs, but didn’t find an answer to this yet)
2
Answers
Downloading files from the Internet
Instance Initiates Connection in the private sub-net sends a request to the internet (e.g., HTTP request to download a file).The NAT Gateway translates the private IP address of the instance to the public IP address of the NAT Gateway. It then forwards the request to the internet. Response-The server on the internet responds to the request. This response is sent back to the public IP address of the NAT Gateway. The NAT Gateway receives the response, translates the destination address from its public IP back to the private IP of the instance, and forwards the response to the instance in the private subnet.
Yes, you can use a NAT Gateway. (But you also need an internet gateway)
A NAT Gateways allows your private resources to communicate to the internet by mapping the source private IP address to the private IP address of the NAT gateway and the internet gateway then maps it to the associated public IP address of the NAT Gateway. When the NAT gateway receives a response, the NAT gateway translates the address back to the original source IP address.
The NAT gateway is placed in a public subnet and you route the traffic to the internet gateway.
The security groups and NACLs must be configured accordingly.
If you want to connect to other AWS Services e.g. download these files from S3, you can also take a look at VPC Endpoints.
VPC Endpoints allow you to communicate to AWS Services without the need of public IP addresses.
Side note for networking stuff in AWS:
In AWS you also have the option to check your network access using the Network Access Analyzer. You can configure a source and a target address, it checks if a connection is possible and then shows you exactly at which point the connection is not possible.