For the NAT Gateway example in this section, how can the traffic from the private subnet 10.0.2.0 goes to the public subnet 10.0.1.0 ? And, the 0.0.0.0/0 route in the default route table (target to the newly created NAT Gateway), is it referring the traffic from the Internet going to the NAT gateway (if there is no any more specific route in the route table) ? A little confused about the setup
The public subnet needs to permit the traffic in via NACL to allow the traffic to reach the NATGW. Since Security Groups don’t apply to NATGWs they don’t come into play. In general, the NATGW will source nat/proxy the traffic it receives before going to the internet which makes it the destination for the return traffic from the internet. Functionally it will pass its external elastic IP to the internet gateway. The Internet gateway uses the elastic IP as the one to one NAT onto the internet. This nat/proxy pattern allows the return traffic to get back to the correct instances that make up the NATGW and eventually the EC2 instance. Let me know if this isn’t clear or what you were asking.