If I have a private subnet that should not get traffic from the outside world (maybe only from a neighbouring subnet), why do I actually need a NAT in order to enable it to access the internet?
Why I can’t simply use the security group (and maybe even the NACL), to block all incoming HTTP/S requests, and allow traffic to flow out of the instances to the web?
In a private subnet , your machines doesn’t have any public IP so having security groups or NACL configured won’t help you to connect your machine to internet. They need a gateway to contact internet. This is the job of your NAT.
Without a NAT your traffic from your instance cannot reach internet. It is also a way to protect machines in your private network.
I hope this message helped you
Let’s think about the 2 types of NAT at play here. Destination NAT is what the IGW uses to ensure workloads in the Public subnets have a public IPv4 address mapped to their private IPv4 address. Normally this is a 1:1 NAT and each instance in a Public subnet (with a Public IP address assigned) will have an entry on the IGW.
The NAT gateway, on the other hand, uses Source NAT to translate outbound traffic from the Private subnet destined to the internet. If it doesn’t translate the traffic, then the Public IPv4 addresses will simply get dropped on the internet. This type of NAT is similar to what we all use with our home internet connections and is sometimes referred to as NAT overload. It is stateful in nature and normally inbound traffic is allowed only if there is an outbound NAT state created.