AWS VPC: Internet Gateway vs NAT

This and this are quite related to my question. Although it seems to have answered quite a lot of people’s doubts, I am still struggling to understand if this setup is specific to AWS or in general networking. If its the latter, then I need to revisit my basics. I suspect that already and hence the question.

My understanding

If a private network is connected to the Internet, then its hosts need to have public IPs to be uniquely identifiable on the Internet. All the traffic to the internet, inbound or outbound, happens with this Public IP address. A host from this network when connected to the Internet gets a Public IP. A packet originating from this host to say will have the host’s private address in the packet which will ultimately get replaced by its public IP address by the NAT device (which is installed on the router/the default Gateway) which is as illustrated here. This is how most of the Internet (except IPV6) runs.

Now, in AWS

  • when you create a Public Subnet and enable auto-assign Public IPs, you are essentially informing the Internet Gateway to switch the private address of the EC2 instance with the public IP address of the EC2 instance in the request packets originating from this EC2 instance while routing its requests out on the internet and vice-versa on the way in. Is my understanding right?
  • when you create a Private Subnet (by not attaching it to the Internet Gateway), you are keeping it private. Then, we consciously make sure that we keep the auto-assign Public IP disabled. When we launch EC2 instances inside this private subnet, we, do not, therefore, get to see, the public IPs on the EC2 console. This also means that instances in this subnet are not visible to the internet. Now, if I connect this private subnet to a NAT device (which, of course, is on the public subnet) (please do not confuse me with what a NAT Gateway does better, at this moment), then, I am essentially, leaving the NAT device to figure out public IP to assign for a specific host X from the private subnet which has requested to communicate with the internet as a public IP is needed to communicate with the Internet.


    • Is this not something that a Router/(Internet) Gateway already and also does in AWS and in general networking? Isn’t the assignment of public IPs to hosts on a network and keeping replacing the private IP address with the public IP address in the packets (that originate from a host on this network) on their way out to the Internet is something that is carried out by a router?
    • Say the NAT device figures out the IP to be assigned to this host of the private subnet. If, “somehow”, this IP becomes known on the Internet, then this host on the private subnet should become reachable from the Internet, too, unless the NAT device pulls some trick (see follow up question). Is my understanding right? Now, AWS says that the NAT device does not allow inbound communication. Is that like a counter to the fact that even if the public IP (that the NAT device assigns to the host of this private subnet) becomes known, the inbound connections are force restricted?
    • Also, AWS allows you to enable auto-assign Public IPs on a private subnet, too. And I can confirm that I can see EC2 instances on private subnet with a Public IP. So, now you have a Private Subnet (as they are not connected to the Internet Gateway in the routing tables) with instances having a Public IP (as you enabled the auto-assign Public IPs on a private subnet). How is that supposed to be interpreted?