NAT gateways let private subnet resources access the internet without accepting inbound connections. Your database can download patches, but the internet cannot connect to it.
Setup:
Create NAT gateway in a public subnet
Assign an Elastic IP to it
Add route: to NAT gateway in private subnets
NAT gateway vs NAT instance:
- NAT gateways: managed, automatic scaling
- NAT instances: EC you manage yourself
High availability:
- NAT gateways exist in one AZ
- Create one per AZ for redundancy
Monitor NAT gateway costs. Hourly charges plus data fees add up.