NAT Gateways in Thalassa Cloud VPCs
A NAT (Network Address Translation) Gateway enables outbound internet access for workloads running in subnets within a Virtual Private Cloud (VPC) in Thalassa Cloud. NAT Gateways allow instances deployed within an VPC to access external services while preventing inbound connections. It uses SNAT to route traffic from private subnets to the public internet.
NAT Gateway Capabilities
| Capability | Description |
|---|---|
| Outbound Internet Access | Allows resources in subnets to access the internet securely. |
| Private Subnet Isolation | Prevents direct inbound traffic, ensuring a higher security posture. |
| Automatic Address Translation (SNAT) | Handles automatic mapping of private IP addresses to public IPs for outbound traffic. |
| High Availability | NAT Gateways operate within an entire region and is redundent across availability zones. |
| Scalability | Supports high bandwidth throughput for handling multiple concurrent connections from workloads. |
NAT Gateway Behavior and Constraints
Enabling Outbound Connectivity
Private subnets in Thalassa Cloud do not have direct internet access by default. To allow instances in private subnets to communicate with external services (e.g., downloading updates, connecting to APIs), users must configure a NAT Gateway.
Subnet Association
A NAT Gateway is deployed within a subnet and is automatically assigned a public IP address. To enable outbound internet access, subnets must configure their route tables to direct outbound traffic to the NAT Gateway. This is either done in the associated custom route table, or the VPC’s default route table.
Security Considerations
- NAT Gateways only allow outbound traffic from the VPC’s subnets; they do not permit inbound connections.
- For services requiring inbound access, consider using a Load Balancer instead.
- Thalassa Cloud automatically assigns a public IP to the NAT Gateway but does not expose internal workloads.