How do I migrate from a NAT instance to a NAT gateway?

3 minute read

I need to migrate from a NAT instance to a NAT gateway, and I want the migration done with minimal downtime.

Short description

When creating a migration plan, consider the following:

  • Do you plan to use the same Elastic IP address for the NAT gateway as currently used by the NAT instance? A new Elastic IP address might not be recognized by external clients.
  • Is your NAT instance performing other functions, such as port forwarding, custom scripts, providing VPN services, or acting as bastion host? A NAT gateway allows instances in a private subnet to connect to the internet or other AWS services. Internet connections towards the NAT gateway are not allowed. It can’t be used for any other functions.
  • Have you configured your NAT instance security groups and your NAT gateway network access control lists (network ACLs) appropriately? You can use security groups on the NAT instance and network ACLs on the NAT instance subnet to control traffic to and from the NAT subnet. You can only use a network ACL to control the traffic to and from the subnet in which the NAT gateway is located.
  • Do your current NAT instances provide high availability across Availability Zones? If so, you might want to create a Multi-AZ architecture. You can do this by creating a NAT gateway in each Availability Zone. Next, configure your private subnet route-tables in a specific Availability Zone to use the NAT gateway from the same Availability Zone. Multi-AZ is useful if you want to avoid charges for inter-AZ traffic.
  • Do you have tasks running through the NAT instance? When the routing is changed from the NAT instance, existing connections are dropped, and the connections must be reestablished.
  • Does your architecture support testing the instance migrations individually? If so, migrate one NAT instance to a NAT gateway and check the connectivity before migrating other instances.
  • Do you allow incoming traffic from ports 1024 - 65535 on the NAT instance's network ACL? You must allow traffic from ports 1024 - 65535 because the NAT gateway uses these as source ports. To learn more, see VPC with public and private subnets (NAT).


  1. Disassociate the Elastic IP address from the existing NAT instance.
  2. Create a NAT gateway in the public subnet for the NAT instance that you want to replace. You can do this with the disassociated Elastic IP address, or with a new Elastic IP address.
  3. Review the route tables that refer to the NAT instance or the elastic network interface of the NAT instance. Then edit the route to point to the newly created NAT gateway instead.
    Note: Repeat this process for every NAT instance and subnet that you want to migrate.
  4. Access one of the Amazon Elastic Compute Cloud (Amazon EC2) instances in the private subnet and verify connectivity to the internet.

After you have successfully migrated to the NAT gateway and have verified connectivity, you can terminate the NAT instances.

Related information

Compare NAT gateways and NAT instances

Migrate from a NAT instance to a NAT gateway

NAT gateways

How do I set up a NAT gateway for a private subnet in Amazon VPC?

Troubleshoot NAT gateways

AWS OFFICIALUpdated 2 years ago